specific javascript code will crash firefox

[taoww]

NoScript 2.6.9.21
Firefox 37 Linux / 38 Beta Win7

these codes below will crash firefox with noscript enabled

test.html

Code: Select all

<!DOCTYPE HTML>
<html>
<head>
	<title></title>
	<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
	<script>
		(new window.MutationObserver(function (mRecords) {
			var wPlugins = [];
			mRecords.forEach(function (mRecord) {
				var addedNodes = mRecord.addedNodes;
				if (!addedNodes.length) {
					return;
				}
				[].forEach.call(addedNodes, function (node) {
					if (node.nodeType != 1) return;
					if (/^(?:OBJECT|EMBED)$/.test(node.nodeName)) {
						wPlugins.push(node);
					};
					[].push.apply(wPlugins, node.querySelectorAll('object, embed'));
				});
			});
			initializer(wPlugins);
		})).observe(document, {
			childList: true, 
			subtree: true, 
		});
	
		function initializer(plugins) {
			plugins.forEach(function(plugin) {
				if (plugin._reinitialized === true) {
					return;
				}
				plugin._reinitialized = true;
				var p = plugin.parentNode;
				var s = plugin.previousSibling;
				p.removeChild(plugin);
				setTimeout(function() {
					p.insertBefore(plugin, s);
				}, 20);
			});
		}
	</script>
</head>
<body>
<embed style="" class="" name="Player" id="Player" src="http://www.91jucai.com/ckplayer/ckplayer.swf" flashvars="a=XOTI4NDY2MDc2_wd1" quality="high" allowscriptaccess="always" allowfullscreen="true" type="application/x-shockwave-flash" align="middle" width="550" height="400">
</body>
</html>

[therube]

Seems to only happen if file:// is specifically Allowed.

The Windows end of the crash says it is plugin-container.exe that is crashing.
Haven't gotten the (SeaMonkey) crash report to generate, yet.

https://crash-stats.mozilla.com/report/ ... 2432150411
https://crash-stats.mozilla.com/report/ ... d612150411

Which points to Bug 1149891 - crash in CSPService::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, nsIPrincipal*, short*) from userscript.
https://bugzilla.mozilla.org/show_bug.cgi?id=1149891

Does not crash if NoScript is disabled.

With NoScript enabled, once you Allow file:// the crash is instantaneous.


In the bug, presumably having greasemonkey installed, like having NoScript installed here, is necessary to cause the crash.


SeaMonkey 2.33.1, Win7 x64, NoScript 2.6.9.20rc2.

[barbaz]

What is that code "supposed" to do?
Does the crash still happen if you allow all Flash from 91jucai dot com?
Is the Flash object immaterial (meaning, can it be any Flash object)?