Filing a new bug, as requested by Boris in Bug 756719 comment 10. With bug 750307 fixed, the location property itself seems to be hardened well enough, but plugins may try to access it through |top.location| -- for instance, Adobe Flash Player opens javascript:top.location+"__flashplugin_unique__" to determine the page origin. And it is possible to shadow |top| using Object.defineProperty. Incidentally, Google Chrome seems to disallow redefining |top|.

Can we give the flash player Xray wrappers by default or something?

(In reply to Blake Kaplan (:mrbkap) from comment #2) > Can we give the flash player Xray wrappers by default or something? That would involve running NPAPI JS in a separate compartment. Which would be great, but I'm not signing up for that...

Even before we get that far: does flash JS need to see things like global variables by default? If so, we're sunk before we start.

Can we simply disallow mucking with top (and parent/owner while you're at it?).

Andrew says he can look into this, and yes, I think the answer here is to make window.top permanent so it can't be mucked with.

Per jst's suggestion, I just copied what is done for sNavigator_id. I'm going to try to understand what it actually is doing... Anyways, with this patch, the test produces this error: JavaScript error: file:///Users/amccreight/mz/tests/765527.html, line 3: can't redefine non-configurable property 'top' and does not produce a pop alert.

The original test seemed to hang my browser. This does the same thing, it just checks top.location.toString() directly instead of using a plugin. Without the patch, it evaluates to the bogus string, with it, it produces the correct URL.

I was getting some browser element failures, but jlebar pointed out GetScriptableTop(), and switching to that fixed the problem with those tests.

Comment on attachment 650991 [details] [diff] [review] v2, cargo culted patch I don't know this code very well. If top changes, this isn't going to be right because we're caching the result, but I think that's not possible, unless it is possible for the weird scripted stuff. If you could give feedback on the scripted top stuff, Justin (eg can it change) that would be good...

Comment on attachment 650991 [details] [diff] [review] v2, cargo culted patch If Justin says that we can't just cache the top value, we'll need a different approach that replaces the getter or something, so I'm clearing the review flag for now.

Suppose I move an iframe from one document to another. Does the iframe's contentWindow's outer window survive the re-parenting? That is, if I do var w = iframe.contentWindow; [move iframe from one document to another] w.src = "http://google.com"; does that have any effect? If so, then the outer window's .top changes, so GetScriptableTop should change to match. If not, then the only other circumstance I can think of which would cause GetScriptableTop to change is if you change a docshell's is-browser or is-app property, which you shouldn't do, and will likely break all sorts of other things.

(In reply to Justin Lebar [:jlebar] from comment #12) > Suppose I move an iframe from one document to another. In that case we reload the iframe.

... and in fact re-create docshell too.

If we re-create the docshell, then this should be fine.

Comment on attachment 650991 [details] [diff] [review] v2, cargo culted patch Thanks for the analysis!

Comment on attachment 650991 [details] [diff] [review] v2, cargo culted patch Who knows what evil lurks in the hearts of men?

Let's wait for this to be fixed on trunk before tracking for a specific ESR version again.

(In reply to Andrew McCreight [:mccr8] from comment #16) > Comment on attachment 650991 [details] [diff] [review] > v2, cargo culted patch > > Thanks for the analysis! Let's get this landed on m-c for possible aurora/beta 16 uplift.

This should get a testcase checked in, once it is made public.

Comment on attachment 650351 [details] friendlier version of the original test [Approval Request Comment] User impact if declined: possible security risks with Flash Bug caused by (feature/regressing bug #): none Fix Landed on Version: it has been on 17 for a few days Risk to taking this patch (and alternatives if risky): This changes web-exposed behavior which could potentially be bad, but Chrome already does this, so jst doesn't think it should be too bad. No real alternatives. I could leave it on Aurora and Nightly for another week or two to see if anything pops up. String or UUID changes made by this patch: none

Comment on attachment 650991 [details] [diff] [review] v2, cargo culted patch Err, that message was for this attachment, not the other one...

The test will have "GOOD!" in it twice if it passes, in the popup, otherwise one or both will be "BAD!" instead.

(In reply to Andrew McCreight [:mccr8] from comment #23) > Risk to taking this patch (and alternatives if risky): This changes > web-exposed behavior which could potentially be bad, but Chrome already does > this, so jst doesn't think it should be too bad. No real alternatives. I > could leave it on Aurora and Nightly for another week or two to see if > anything pops up. Let's target this fix for Beta 3, so that we can have a week on Aurora 17 of bake time. Normally I'd approve a change like this as early as possible to find regressions, but I'm concerned that if we land it on Beta and then find regressions, we'll be committed to still fixing in 16.

It works fine for beta, with minor adjustments. On ESR10, I had to change GetScriptedTop to GetTop, but even with that the test still fails with the patch applied, even though we are hitting the code I added. I'm not sure why that is.

Ah, so, this isn't working on ESR10 because bug 756719 never landed on ESR10.

I'll wait until that other bug lands on ESR10 to land this one there. https://hg.mozilla.org/releases/mozilla-beta/rev/e7bcf3d49761

I confirmed that it worked on ESR10 with bug 756719, but it ended up getting backed out, so I'll wait until that sorts itself out before landing.

Backed out because bug 756719 (née bug 750307) was backed out: https://hg.mozilla.org/releases/mozilla-esr10/rev/96931ca23431

Once more, with feeling. https://hg.mozilla.org/releases/mozilla-esr10/rev/d3922c1c120e

mass remove verifyme requests greater than 4 months old

I don't really know what I'm doing here, so I'd appreciate a review. I'm not sure how useful this test really is, as this will be much harder to mess up in the WebIDL world, but it is probably useful.

Comment on attachment 8462846 [details] [diff] [review] Add test for shadowing window.top. test fails on try