11323 – Don't run scripts when the owner doc isn't the inserter parser's doc or when the owner doc is not the same at "run" and "execute" time

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 11323 - Don't run scripts when the owner doc isn't the inserter parser's doc or when the owner doc is not the same at "run" and "execute" time

Summary: Don't run scripts when the owner doc isn't the inserter parser's doc or when ...

Status:	RESOLVED FIXED

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	LC1 HTML5 spec (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P1 critical
Target Milestone:	---
Assignee:	Ian 'Hixie' Hickson
QA Contact:	HTML WG Bugzilla archive list

URL:
Whiteboard:
Keywords:

Depends on:	11301
Blocks:
	Show dependency tree / graph

Reported:	2010-11-16 09:55 UTC by Henri Sivonen
Modified:	2011-08-04 05:36 UTC (History)
CC List:	8 users (show)

See Also:

Attachments

Description Henri Sivonen 2010-11-16 09:55:55 UTC

Context: https://bugzilla.mozilla.org/show_bug.cgi?id=592366

As a defense in depth measure, please make scripts not executable (with their "already started" flag set!) if 
 1) For a parser-inserted script at the time of the "run" algorithm the owner document of the script is not the document whose active parser is triggering the "run" algorithm.
 2) If the owner doc of the script at the time of "execution" is not the same as at the time of the "run" algorithm was invoked.

Comment 1 Henri Sivonen 2010-12-02 13:01:55 UTC

If spec is changed on point #2, it would make sense to put the Opera/IE behavior of canceling a script and unblocking the parser if the script was the parser-blocking script when a pending script is removed from the tree:
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2010-November/029039.html

Comment 2 Ian 'Hixie' Hickson 2011-02-08 20:56:33 UTC

For #1, I propose to add the following step after the  "The user agent must set the element's "already started" flag." step of "run":

9a. If the element has been flagged as "parser-inserted", and the element's Document is not the Document of the parser that created the element, then abort these steps.


For #2, I propose to wrap the whole "execute" algorithm in a new <ol>, put the existing stuff as step 2 of that <ol>, and make the following step 1:

1. If the element has been flagged as "parser-inserted", and the element's Document is not the Document of the parser that created the element, then abort these steps.


I'll deal with the WHATWG feedback cited in comment 1 as part of dealing with e-mail feedback.


Are the above proposals acceptable solutions to this bug?

Comment 3 contributor 2011-02-14 20:48:13 UTC

Checked in as WHATWG revision r5883.
Check-in comment: Make a parser-inserted script not run if it is moved to another document before it executes (and not even fetch if it is parsed into another document than its parser's document).
http://html5.org/tools/web-apps-tracker?from=5882&to=5883

Comment 4 Ian 'Hixie' Hickson 2011-02-14 20:48:53 UTC

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Accepted
Change Description: see diff given above and proposal in comment 2.
Rationale: Concurred with reporter's comments.

Comment 5 Ian 'Hixie' Hickson 2011-02-14 20:54:07 UTC

Answer to comment 1 is here:
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-February/030355.html

Given how much of an edge case this particular issue is, I don't think there's really any value in changing the behaviour. However, if it turns out there are pages that do trigger this behaviour, let me know (by e-mail or in a new bug), and we can change the behaviour accordingly.

Comment 6 Michael[tm] Smith 2011-08-04 05:36:15 UTC

mass-move component to LC1