Closed
Bug 535926
Opened 15 years ago
Closed 15 years ago
"ASSERTION: This is unsafe" with <iframe>, XBL
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: jruderman, Assigned: smaug)
References
Details
(4 keywords, Whiteboard: [sg:critical?])
Attachments
(4 files, 2 obsolete files)
(deleted),
text/html
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
sicking
:
superreview+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
christian
:
approval1.9.2.7+
christian
:
approval1.9.1.11+
dveditz
:
approval1.9.0.next+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: This is unsafe!: 'Error', file /Users/jruderman/mozilla-central/content/events/src/nsEventDispatcher.cpp, line 485
This is the assertion just added in bug 531176.
I'm not sure why I need the setTimeout.
Reporter | ||
Comment 1•15 years ago
|
||
Assignee | ||
Comment 2•15 years ago
|
||
So nsBrowserStatusFilter::OnStateChange calls some JS code which end up to
progressmeter.xml which dispatches ValueChange.
In this particular case I wonder why we even call OnStateChange.
I believe the document is already loaded but
#21 0x00007f82d1f3e2ec in nsDocument::BlockOnload (this=0x261b070) at /home/smaug/mozilla/mozilla_cvs/hg/src/content/base/src/nsDocument.cpp:7037
#22 0x00007f82d20e85c8 in nsBindingManager::AddToAttachedQueue (this=0x2158530, aBinding=0x226a5e0)
at /home/smaug/mozilla/mozilla_cvs/hg/src/content/xbl/src/nsBindingManager.cpp:955
adds new request to load group which triggers the method call.
Investigating...
Assignee | ||
Comment 3•15 years ago
|
||
But still, I think we can't easily prevent progress listeners to dispatch
events.
Comment 4•15 years ago
|
||
Hmm. We should avoid calling progress listeners for BlockOnload calls if we can do it...
Maybe we should stop faking the loadgroup thing and just directly have BlockOnload/UnblockOnload poke the docloader or something?
Comment 5•15 years ago
|
||
An example of this assertion can be seen on Windows 1.9.3 at least at http://www.slacker.com/
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Comment 6•15 years ago
|
||
Not sure if this is sg:critical (at least when using the testcase).
That is happening in chrome, and during time we might get dom modifications anyway.
Assignee | ||
Comment 7•15 years ago
|
||
I wonder if, at least for now, the assertion should fire only if the
target of the event is in content.
Assignee | ||
Comment 8•15 years ago
|
||
Repeating this:
> Not sure if this is sg:critical (at least when using the testcase).
> That is happening in chrome, and during time we might get dom modifications
> anyway.
What in this bug makes this sg:critical ?
Reporter | ||
Comment 9•15 years ago
|
||
I only marked it as sg:critical because the assertion was added in an sg:critical bug. If this bug isn't a security bug, let's unmark the whiteboard and make it public.
Assignee | ||
Comment 10•15 years ago
|
||
Well, I wouldn't remove the security flag from this bug, but
this just may not be sg:critical.
Updated•15 years ago
|
Assignee: nobody → jonas
blocking2.0: --- → beta1
Olli, if this only results in events being fired at chrome windows, then why not remove the security flag?
Comment 12•15 years ago
|
||
Olli, any more thoughts on whether this needs to be sg:critical, or if it's even a security bug any more?
Assignee | ||
Comment 13•15 years ago
|
||
comment 4 says what should be done here, I think.
I think this doesn't need to be sg:critical, since there is no clear evidence
that content can trigger anything bad - unless ff ui or some extension starts
to handle status updates in a different way.
But this is still a security bug.
Comment 14•15 years ago
|
||
Looks like we should probably remove the sg:crit rating here, but there's ongoing discussion of what the ration should be. Thoughts?
Comment 15•15 years ago
|
||
If this is a critical vulnerability only exposed to extension code presently, we should lower the severity to sg:high. If we think it's likely that FF UI code would add changes triggering this vuln, then sg:critical severity is appropriate.
Assignee | ||
Comment 16•15 years ago
|
||
Or we can just fix this and not care too much about sg:*. :)
Taking. I'll try to write the patch on Thursday.
Assignee: jonas → Olli.Pettay
Assignee | ||
Comment 17•15 years ago
|
||
Um, I can't reproduce this atm.
I've tried on Linux and OSX, with and without html5 parser.
The assertion in this case was changed to a warning, but I can't see that either.
I wonder if bug 557398 changed something here.
Testing...
Assignee | ||
Comment 18•15 years ago
|
||
Backing out bug 557398 doesn't seem to affect to this bug.
Assignee | ||
Comment 19•15 years ago
|
||
Ah, perhaps LazyFrameCtor changed timing here. Which means this would still
need to be fixed in 1.9.2.
Assignee | ||
Comment 20•15 years ago
|
||
Not LazyFrameCtor. Still trying to find a build where I get the error
Assignee | ||
Comment 21•15 years ago
|
||
I can reproduce this at least on 1.9.2, when I added the same assertion/warning
what trunk has.
But patch needs to wait at least til tomorrow.
Assignee | ||
Comment 22•15 years ago
|
||
I posted this to tryserver
Assignee | ||
Comment 23•15 years ago
|
||
Comment on attachment 441281 [details] [diff] [review]
patch
Passed tests on tryserver.
Boris, what do you think about this approach?
A bit ugly, but since I think we want this to 1.9.2 too, I didn't
want to make huge changes. And I'm not even sure what would be
the best way to change nsDocLoader or something.
It would be quite hackish to add onloadblocker-type-of-requests
and handle them specially in docloader.
This relies on script blockers to be on stack and
PostUnblockOnloadEvent to handle things truly async.
Attachment #441281 -
Flags: review?(bzbarsky)
Assignee | ||
Updated•15 years ago
|
Status: NEW → ASSIGNED
Comment 24•15 years ago
|
||
Would it make sense to do:
if (!nsContentUtils::IsSafeToRunScript()) {
++mAsyncOnloadBlockCount;
if (mAsyncOnloadBlockCount == 1) {
nsContentUtils::AddScriptRunner(
NS_NEW_RUNNABLE_METHOD(nsDocument, this, AsyncBlockOnload));
}
return;
}
and have AsyncBlockOnload call BlockOnload mAsyncOnLoadBlockCount times, so as not to thrash things with lots of scriptrunners?
Having an API on docloader (whose job it is to keep track of when onload should fire) to block onload would be a lot less hacky than having this fake request, btw. But making it work right might be a pain...
Why is the new block in DoUnblockOnload needed? How can we get there with mAsyncOnloadBlockCount != 0?
Assignee | ||
Comment 25•15 years ago
|
||
(In reply to comment #24)
> Would it make sense to do:
> ...
> and have AsyncBlockOnload call BlockOnload mAsyncOnLoadBlockCount times, so as
> not to thrash things with lots of scriptrunners?
That should work.
> Why is the new block in DoUnblockOnload needed? How can we get there with
> mAsyncOnloadBlockCount != 0?
If some script runner (which is added before the AsyncBlockOnload script runner, so it runs before it) processes event loop.
Comment 26•15 years ago
|
||
Ah, ok. Do you want to post a patch with my suggestion from the beginning of comment 24?
Assignee | ||
Comment 27•15 years ago
|
||
Yeah, I will, in a minute.
Assignee | ||
Comment 28•15 years ago
|
||
Like this?
Attachment #441281 -
Attachment is obsolete: true
Attachment #441519 -
Flags: review?(bzbarsky)
Attachment #441281 -
Flags: review?(bzbarsky)
Comment 29•15 years ago
|
||
Comment on attachment 441519 [details] [diff] [review]
v2
Space after "while", please.
Updated•15 years ago
|
Attachment #441519 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 30•15 years ago
|
||
uh, how did I miss the space :/
Anyway, this is a security bug, so sr is needed.
Attachment #441519 -
Attachment is obsolete: true
Attachment #441526 -
Flags: superreview?(jonas)
Attachment #441526 -
Flags: superreview?(jonas) → superreview+
Comment on attachment 441526 [details] [diff] [review]
+space
Please add documentation on the member describing how it works. Took reading this a few times to figure it out.
And add a comment to ::BlockOnload describing *why* we're entering the if-statement.
Assignee | ||
Comment 32•15 years ago
|
||
Assignee | ||
Comment 33•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6f7405a55a48
http://hg.mozilla.org/mozilla-central/rev/e5a075d4e5ba
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 34•15 years ago
|
||
Just wanting to get this on the wanted/blocking list for future 1.9.2 release, as per earlier comments stating that this also affects 1.9.2.
blocking1.9.2: --- → ?
status1.9.2:
--- → ?
Comment 35•15 years ago
|
||
Does this affect 1.9.1 as well?
blocking1.9.2: ? → .5+
Updated•14 years ago
|
blocking1.9.2: .5+ → .6+
Comment 36•14 years ago
|
||
Bug 569674 is another regression from this, we need to figure that out before landing this on branches. Sorry I didn't mark it sooner.
Blocks: 569674
Updated•14 years ago
|
Assignee | ||
Updated•14 years ago
|
Attachment #441743 -
Flags: approval1.9.2.6?
Attachment #441743 -
Flags: approval1.9.1.11?
Comment 38•14 years ago
|
||
Comment on attachment 441743 [details] [diff] [review]
+some comments
a=LegNeato for 1.9.2.6 and 1.9.1.11. Please land this on mozilla-1.9.2 default and mozilla-1.9.1 default.
Code freeze is this Friday @ 11:59 pm PST.
Attachment #441743 -
Flags: approval1.9.2.6?
Attachment #441743 -
Flags: approval1.9.2.6+
Attachment #441743 -
Flags: approval1.9.1.11?
Attachment #441743 -
Flags: approval1.9.1.11+
Updated•14 years ago
|
blocking1.9.1: --- → .11+
status1.9.1:
--- → wanted
Comment 39•14 years ago
|
||
Comment 40•14 years ago
|
||
Comment 41•14 years ago
|
||
Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7pre) Gecko/20100630 Namoroka/3.6.7pre ( .NET CLR 3.5.30729) using the attached testcase.
Keywords: verified1.9.2
Comment on attachment 441743 [details] [diff] [review]
+some comments
Requesting approval1.9.0.next on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates. If approved, I'll handle the checkins, unless the patch author requests otherwise.
Attachment #441743 -
Flags: approval1.9.0.next?
Comment 43•14 years ago
|
||
Comment on attachment 441743 [details] [diff] [review]
+some comments
Approved for 1.9.0.20, a=dveditz
Attachment #441743 -
Flags: approval1.9.0.next? → approval1.9.0.next+
Checking in content/base/src/nsDocument.cpp;
/cvsroot/mozilla/content/base/src/nsDocument.cpp,v <-- nsDocument.cpp
new revision: 3.837; previous revision: 3.836
done
Checking in content/base/src/nsDocument.h;
/cvsroot/mozilla/content/base/src/nsDocument.h,v <-- nsDocument.h
new revision: 3.381; previous revision: 3.380
done
Keywords: fixed1.9.0.20
Updated•14 years ago
|
Group: core-security
Reporter | ||
Comment 45•14 years ago
|
||
Flags: in-testsuite+
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•