New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 805390 link

Starred by 1 user
Status: Fixed
Owner:
yukiy@chromium.org
Last visit > 30 days ago
Closed: Dec 7
Cc:
yukishiino@chromium.org
a...@chromium.org
tzik@chromium.org
haraken@chromium.org
dcheng@chromium.org
bashi@chromium.org
lfg@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Event listeners are invoked in a nested message loop

Project Member Reported by haraken@chromium.org, Jan 24 2018 
Currently event listeners are invoked without checking whether the page is paused or not. Consequently event listeners may be invoked in a nested message loop.

This means that any arbitrary script from cross origin may run during a nested message loop, which is bad.

Here is a proof-of-concept. Type the following lines in JS console:

w = window.open()
d = w.document; input = d.createElement('input'); input.type = 'button'; input.value = 'button'; input.addEventListener('click', function(){ w.alert(123); }); d.body.appendChild(input);
window.print()

and click the button in the opened window. The event listener runs and window.alert() is invoked...

Comment 1 by lfg@chromium.org, Feb 8 2018

Cc: a...@chromium.org
Components: Blink>HTML>Dialog
Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Should we dismiss the modal dialog that causes the nested message loop when that happens? Or queue the event? Or just drop the event?

I think +Avi looked at auto-dismissing modal dialogs and nested message loops, any thoughts?

Comment 2 by dcheng@chromium.org, Feb 8 2018 

If we were to behave as if window.print() was truly modal, we ought to block interaction with the opened window.

That doesn't really seem practical though. Another alternative would be to simply queue JS events triggered in a nested message loop and only dispatch them when returning to the top level loop.

I wonder what happens if window.print() is called from the click event handler...?

Comment 3 by lfg@chromium.org, Feb 8 2018

Status: Available (was: Untriaged)
Re#2: calling window.print from the event handler silently fails. window.open also fails when called from the event handler.

Queueing seems like it would work, but there will be a lot of corner cases. Part of the problem is that another page is synchronously scripting the paused page, and queuing by itself doesn't address that. I think auto-dismissing may be better/simpler here. Of course auto-dismissing won't work if we are running a nested message loop for cooperative scheduling (which I'm assuming the intent of this bug is also targeting).

In any case, I'll leave this bug as Available for now, in case anyone wants to own it, feel free to pick it up.

Comment 4 by a...@chromium.org, Feb 8 2018 

window.print() spawns a dialog, which *should* be blocking the page from input. This should be blocked from the UI side, though the underlying issue is no less problematic.

Comment 5 by lfg@chromium.org, Feb 8 2018 

Re#4: This isn't interaction with the page directly, this is interaction with another page (in another tab) that can synchronously script the original page.

Comment 6 by yukishiino@chromium.org, Feb 9 2018

Cc: tzik@chromium.org

Comment 7 by yukishiino@chromium.org, Dec 7

Owner: yukiy@chromium.org
Status: Fixed (was: Available)
I think that this issue got fixed by yukiy@ at least for common cases.  The repro case at #0 no longer works.  Event listeners now check the callback's realm's pause as well as the incumbent realm's pause.  If it's not enough, feel free to file an new issue or reopen this issue.

Sign in to add a comment