WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
262892
Implement a more robust guarantee that toggling “details” open-ness can’t lead to arbitrary execution of JavaScript (no events dispatched)
https://bugs.webkit.org/show_bug.cgi?id=262892
Summary
Implement a more robust guarantee that toggling “details” open-ness can’t lea...
sideshowbarker
Reported
2023-10-09 08:35:16 PDT
https://github.com/WebKit/WebKit/pull/18281
includes adding a mechanism for causing mutation events not to fire, as required by the HTML standard at
https://html.spec.whatwg.org/multipage/dom.html#concept-document-fire-mutation-events-flag
and
https://html.spec.whatwg.org/multipage/interactive-elements.html#ensure-details-exclusivity-by-closing-other-elements-if-needed
— but see
https://github.com/WebKit/WebKit/pull/18281#discussion_r1349255737
> This seems fragile to me. Are we guaranteed that mutation events are the only way toggleOpen can lead to arbitrary execution of JavaScript? Because if anything runs and then in turn does other DOM modification, it will run with mutation events disabled. Calling setShouldFireMutationEvents(false) alone seems like a not entirely robust guarantee that no events of any kind will be dispatched. I’m sure that’s true right now, but I can so easily imagine us making a mistake later as we evolve the implementation.
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2023-10-16 08:36:15 PDT
<
rdar://problem/117019331
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug