Bug 262892 - Implement a more robust guarantee that toggling “details” open-ness can’t lead to arbitrary execution of JavaScript (no events dispatched)
Summary: Implement a more robust guarantee that toggling “details” open-ness can’t lea...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-10-09 08:35 PDT by sideshowbarker
Modified: 2023-10-16 08:36 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description sideshowbarker 2023-10-09 08:35:16 PDT 
https://github.com/WebKit/WebKit/pull/18281 includes adding a mechanism for causing mutation events not to fire, as required by the HTML standard at https://html.spec.whatwg.org/multipage/dom.html#concept-document-fire-mutation-events-flag and https://html.spec.whatwg.org/multipage/interactive-elements.html#ensure-details-exclusivity-by-closing-other-elements-if-needed — but see https://github.com/WebKit/WebKit/pull/18281#discussion_r1349255737

> This seems fragile to me. Are we guaranteed that mutation events are the only way toggleOpen can lead to arbitrary execution of JavaScript? Because if anything runs and then in turn does other DOM modification, it will run with mutation events disabled. Calling setShouldFireMutationEvents(false) alone seems like a not entirely robust guarantee that no events of any kind will be dispatched. I’m sure that’s true right now, but I can so easily imagine us making a mistake later as we evolve the implementation.
Comment 1 Radar WebKit Bug Importer 2023-10-16 08:36:15 PDT 
<rdar://problem/117019331>