Closed
Bug 754156
Opened 13 years ago
Closed 12 years ago
"Assertion failure: principals == JS_GetCompartmentPrincipals((js::GetContextCompartment(cx)))" with view-source, pushState
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox14 | --- | unaffected |
| firefox-esr10 | --- | unaffected |
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: assertion, sec-moderate, testcase)
Attachments
(3 files)
1. Save imgTag.html and c.html in the same directory.
2. Set security.fileuri.strict_origin_policy to false.
3. Load c.html
4. Push the big red button.
Result:
Assertion failure: principals == JS_GetCompartmentPrincipals((js::GetContextCompartment(cx))), at caps/src/nsScriptSecurityManager.cpp:208
This is a regression from cpg (ac00c792933e is ok, 400c2b30015d asserts).
|
Reporter | |
Comment 1•13 years ago
|
||
|
|
Reporter | |
Comment 2•13 years ago
|
||
|
||
Comment 3•13 years ago
|
||
I'm not too worried about this. It looks like the compartment principal here doesn't match the result of doGetObjectPrincipal. Probably some edge case with view-source, which tends not to be a problem in practice.
Unless the real issue here is that the compartment principal is incorrect, this will just go away when we rip out this code in bug 754202.
|
||
Comment 4•13 years ago
|
||
Just a note that i ran into this same assertion when opening the web console to try and debug some tests i was adding to iframe sandbox - see bug 341604 comment 144 and comment 149 for more details.
|
|
||
Comment 5•13 years ago
|
||
(In reply to Ian Melven :imelven from comment #4)
> Just a note that i ran into this same assertion when opening the web console
> to try and debug some tests i was adding to iframe sandbox - see bug 341604
> comment 144 and comment 149 for more details.
also in this case, there's a crash with a null pointer deref after the assertion.
|
||
Comment 7•12 years ago
|
||
This is reproducible on Aurora/15, Nighltly/16 but not Beta/14? on OSX with
http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_msie_randomized_seed.html#-2043396143
http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_msie_randomized_seed.html#-1281939812
|
|
||
Comment 8•12 years ago
|
||
I'm guessing that this will be fixed by bug 764389.
|
|
||
Comment 9•12 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #8)
> I'm guessing that this will be fixed by bug 764389.
I can not reproduce the assertion with the urls in comment 7 on this morning's debug Nightly/16 but still can with Aurora/15 so at least as far as cross_fuzz is concerned it does look like this was fixed.
|
||
Comment 10•12 years ago
|
||
Can somebody check this on 15? Bobby landed 764389 since comment 9. It would probably also be good to check Jesse's original test case.
status-firefox14:
--- → unaffected
|
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
|
||
Comment 11•12 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #8)
> I'm guessing that this will be fixed by bug 764389.
So is this bug fixed?
|
|
Reporter | |
Comment 13•12 years ago
|
||
Now I get:
JavaScript error: file:///Users/jruderman/Desktop/c.html, line 10: NS_ERROR_UNEXPECTED: Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIDOMHistory.pushState]
I'll take it.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(jruderman)
Resolution: --- → WORKSFORME
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•