Creating a empty <object> tag with JavaScript makes the tab crash
Reported by
leon4609...@gmail.com,
Mar 30 2018
|
||||||||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Steps to reproduce the problem:
1. Open Console to about:blank or whatever (it's not working with CSP "object-src 'none'")
2. Append
var x = document.createElement('OBJECT');
x.setAttribute("type", "text/plain");
document.body.appendChild(x);
3. The tab crash
What is the expected behavior?
The <object> object must be appended but with nothing in it.
What went wrong?
The tab crashes.
Did this work before? N/A
Chrome version: 65.0.3325.181 Channel: stable
OS Version: 4.15.14-1-ck #1 SMP PREEMPT Thu Mar 29 15:28:36 EDT 2018 x86_64 GNU/Linux
Flash Version: 29.0.0.113
When CSP directive : "object-src 'none'" is set, the object appends but it doesn't work.
,
Mar 30 2018
I have the same issue on Windows.
,
Mar 31 2018
Bisect info: 526336 (good) - 526339 (bad) https://chromium.googlesource.com/chromium/src/+log/eff75e19..be1358e5?pretty=fuller In r526339 "Update V8 to version 6.5.110." changelog https://chromium.googlesource.com/v8/v8/+log/1c7a1af2..c2d545ce Suspecting ce609dba3254c901c7eba32147456b470f4cf05a "[inspector] injected script source should call less user code" Landed in 65.0.3308.0
,
Apr 1 2018
,
Apr 3 2018
Crash sit4e is in the v8 bindings. Tentatively assigning to JS component.
,
Apr 3 2018
Able to reproduce the issue on Windows 10, mac 10.13.3 and Ubuntu 14.04 using chrome reported version #65.0.3325.181 and latest canary #67.0.3386.0. Bisect Information: ===================== Good build: 65.0.3307.0 Bad Build : 65.0.3308.0 Change Log URL: https://chromium.googlesource.com/chromium/src/+log/eff75e19..be1358e5?pretty=fuller V8-Autoroll Change log: https://chromium.googlesource.com/v8/v8/+log/1c7a1af2..c2d545ce From the above change log suspecting below change Change-Id: Ibfee850949124d056a443d869ea67a71abd71d24 Reviewed-on: https://chromium-review.googlesource.com/845299 kozyatinskiy@ - Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Note: Adding stable blocker for M-65, as it seems to be a recent regression. Please feel free to remove the same if not appropriate. Thanks...!!
,
Apr 4 2018
We're not planning any more M65 releases. Pls target fix for M66.
,
Apr 9 2018
Friendly ping to get an update on this issue as it is marked as stable blocker & M66 Stable cut is on April 12th. Thanks..!
,
Apr 9 2018
Reminder: Please note that M66 Stable is only 7 days away. This bug has been marked as ReleaseBlock Stable for M66. So please take a look and appropriately address this bug.
,
Apr 13 2018
Since this is present on 65, my recommendation is to target this for 67 now since 66 will go to stable next week.
,
Apr 25 2018
M67 Stable promotion is coming soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.
,
May 2 2018
*** Bulk Edit *** M67 Stable promotion is coming soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. If fix is already merged to M67 and nothing else is pending, pls mark the bug as fixed. Thank you.
,
May 2 2018
,
May 2 2018
,
May 7 2018
Issue 839026 has been merged into this issue.
,
May 7 2018
*** Bulk Edit *** M67 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. If fix is already merged to M67 and nothing else is pending, pls mark the bug as fixed. Thank you.
,
May 9 2018
As this is regressed in M65 and M67 is going to stable soon, pls target fix for M68.
,
May 24 2018
Friendly ping to get an update on this issue as it is marked as RBS. Thanks..!
,
Jun 11 2018
kozy@, Gentle ping to get an update on this issue as per C#14 (as it is marked as RBS). Thanks..!
,
Jul 3
Bulk update: M68 stable cut is scheduled for July 19th. This issue is marked as RB-Stable, so please take a look at it before. Thanks!
,
Jul 12
Friendly ping to get an update on this issue as it is marked as RBS. Could some one from devtools/Javascript team please take a look. Thanks..!
,
Jul 16
I'm removing RBS for this. This has been present since M65. If you disagree, please add it back.
,
Jul 16
Seems weird. 1. ignoring a bug for several releases since receiving a report 2. declaring it present long enough to cease being a blocker 2. ??? 3. profit!
,
Jul 17
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a796715eb5d3dce15ddc16b54e0311f5261b7136 commit a796715eb5d3dce15ddc16b54e0311f5261b7136 Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org> Date: Tue Jul 17 20:50:16 2018 [inspector] warmup dom bindings before calling anything on them We try to prevent side effects by forbidding running any JavaScript when we get property from node object. In case of object node it is possible that by calling property we force internal object initialization which may force creation of new context, this initialization can not be made with forbided JavaScript and at the same time is side effect free. As workaround we can warmup dom objects first and then generate description. R=dgozman@chromium.org Bug: chromium:827585 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: Ifd2c6317ffd5cb3822d2a2eedf3d0b0f36a201f1 Reviewed-on: https://chromium-review.googlesource.com/1041078 Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Cr-Commit-Position: refs/heads/master@{#54505} [modify] https://crrev.com/a796715eb5d3dce15ddc16b54e0311f5261b7136/src/inspector/injected-script-source.js
,
Sep 21
|
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by leon4609...@gmail.com
, Mar 30 2018