Bugzilla@Mozilla – Bug 491134
nsDOMOfflineResourceList uses its own (unsafe) way to dispatch events
Last modified: 2009-07-21 21:28:53 PDT
Summon comment box
nsDOMOfflineResourceList pushes context to stack before iterating event listeners and pops it later. But it does not check if event listener killed cx or anything like that. I believe this may lead to similar problems as what XHR had in Bug 460002. I'll make nsDOMOfflineResourceList to work like any other event target, but for branches some other fix is needed.
Created attachment 376727 [details] [review] for trunk This became quite large, but I really do want all the event dispatching to work the same way. This change allows also simplifications to nsPrivateDOMEvent. Event handling is moved from nsXHREventTarget to a new helper class nsDOMEventTargetHelper and static method GetDocumentFromScriptContext from nsXMLHttpRequest.cpp to nsContentUtils. nsXHREventTarget extends nsDOMEventTargetHelper, and nsDOMOfflineResourceList does that too. This removes nsDOMOfflineResourceList::NotifyEventListeners, because normal event handling can be now used with nsDOMOfflineResourceList. Branches can have simpler change; some kind of CheckInnerWindowCorrectness in NotifyEventListeners. That is what is done in 1.9.0.x XHR. http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/base/src/nsXMLHttpRequest.cpp&rev=1.248&mark=1046#1018
Would be great to have a testcase here. Something like the testcases in Bug 460002, but using applicationCache and not XHR. But even without such testcase the patch is needed for trunk.
We may reconsider if the "simpler change" for branches promised in comment 1 ends up not working out.
I tried to make a testcase, using the testcase from bug 460002, but I got all kinds of js errors, trying to get something. Probably moz_bug_r_a4@yahoo.com might be able to come up with something, because he understands the testcase from bug 460002 that he wrote (I don't).
OK. I'll attach an XSS testcase and a crash testcase. The XSS testcase depends on bfcache enabled.
With the patch I can't reproduce crashes nor XSS.
Created attachment 377510 [details] [review] For 1.9.1 and 1.9.0
Blocking 1.9.1 as well.
Comment on attachment 376727 [details] [review] for trunk - In nsContentUtils::GetDocumentFromScriptContext(): + nsCOMPtr<nsIDOMDocument> domdoc; + window->GetDocument(getter_AddRefs(domdoc)); I wonder if this should use nsPIDOMWindow::GetExtantDocument() to avoid ever creating a document if one doesn't exist yet (or any more) in some odd edgecases here? r+sr=jst
(In reply to comment #13) > I wonder if this should use nsPIDOMWindow::GetExtantDocument() to avoid ever > creating a document if one doesn't exist yet (or any more) in some odd > edgecases here? Yeah, perhaps. I just moved that code out from nsXMLHttpRequest.cpp
I'll land the 1.9.1 patch to trunk too, and then after landing it to branches I can back it out and land the trunk patch. This way it gets more testing.
http://hg.mozilla.org/mozilla-central/rev/13b38e2a54ee Landed the 1.9.1 patch to trunk. This bug is sort-of-fixed now, at least the security part of it, but I will land the trunk patch later.
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/925e366b831b
Comment on attachment 377510 [details] [review] For 1.9.1 and 1.9.0 Approved for 1.9.0.12, a=dveditz for release-drivers
Checking in dom/src/offline/nsDOMOfflineResourceList.cpp; /cvsroot/mozilla/dom/src/offline/nsDOMOfflineResourceList.cpp,v <-- nsDOMOfflineResourceList.cpp new revision: 1.8; previous revision: 1.7 done
Created attachment 383191 [details] [review] for trunk (includes backout of the branch patch)
http://hg.mozilla.org/mozilla-central/rev/35740f840f78
Are these test cases for 1.9.1 and trunk only? I get no alert or crash with 1.9.0.11 with either case on Windows XP.
I can reproduce these testcases on 1.9.0.11. Did you allow Offline App? On 1.9.0.11, when I loaded a testcase in a background tab, a notification for offline-app-requested did not appear, thus I needed to reload the testcase to allow Offline App.
I uploaded them to my own web server on the net. The first time I run a case, I get prompted for offline access, which I allow. After that, with either case, when I click on the button, it simply opens a new tab with the case in that tab. This is on Windows XP with 3.0.11. I wiped my XP virtual machine back to a clean state, reinstalled 3.0.11, and tried again today and had the same results. I tried the same thing with a new profile on OS X 10.5.7. The behavior was the same. The first time a case is opened, I get the prompt for offline access. I choose "always allow" and then reload the page (I have exited and reloaded the page too). Clicking on the button in either case just loads the case again in a new tab. Is there a missing step somewhere for setup or the case?
When you uploaded the testcases to your server, did you modify *-opener.html? |var u = "?id=...";| is the URI of *-main.html in b.m.o, and you need to change it to the URI of *-main.html in your server.
Ah, yes. I didn't realize that you had hardcoded the URLs to BMO. When we have multi-file testcases, we normally run them off of BMO because we've had problems in the past with the interaction with BMO for some testcases. When I load them from BMO, they work as you outline and the problems are fixed in the 1.9.0.12pre build: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12pre) Gecko/2009070105 GranParadiso/3.0.12pre (.NET CLR 3.5.30729).
verified FIXED using the attached testcases (and found the expected results matched the actual ones) on builds: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090721 Minefield/3.6a1pre ID:20090721044139 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090720 Shiretoko/3.5.1pre ID:20090720042942