by skriptimaahinen » Thu Aug 20, 2020 10:45 am
11.0.39rc6 on linux. Can't reproduce the original bug with any config, so not able to say anything about how the fix handles that, BUT...
While changing permissions on any file, the permissions are not always actually changed after the reload.
This would appear to be caused by the onBeforeUnload not being removed correctly on DOMContentLoaded, which will cause the old permissions to be set after reloading.
But before you rush to fix it, consider also this example:
Code: Select all
<!doctype html>
<html>
<head>
<script>
alert("Blocking DOM so that DOMContentLoaded will not happen unless the alert is dismissed!");
</script>
</head>
</html>
User could allow scripts, get the popup and immediately decide to disallow them again, which would result in a reload happening before DOMContentLoaded, onBeforeUnload running, the old permissions being set again and another popup, even if the removing of onBeforeUnload is fixed in DOMContentLoaded.
Also the timestamp in the key will eventually (with some bad luck or persistence) cause the policy to be left in the window.name. Is the timestamp necessary?
11.0.39rc6 on linux. Can't reproduce the original bug with any config, so not able to say anything about how the fix handles that, BUT...
[b]While changing permissions on any file, the permissions are not always actually changed after the reload.[/b]
This would appear to be caused by the onBeforeUnload not being removed correctly on DOMContentLoaded, which will cause the old permissions to be set after reloading.
But before you rush to fix it, consider also this example:
[code]<!doctype html>
<html>
<head>
<script>
alert("Blocking DOM so that DOMContentLoaded will not happen unless the alert is dismissed!");
</script>
</head>
</html>[/code]
User could allow scripts, get the popup and immediately decide to disallow them again, which would result in a reload happening before DOMContentLoaded, onBeforeUnload running, the old permissions being set again and another popup, even if the removing of onBeforeUnload is fixed in DOMContentLoaded.
Also the timestamp in the key will eventually (with some bad luck or persistence) cause the policy to be left in the window.name. Is the timestamp necessary?