[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

firefox-esr update to 68.2.0esr-1~deb10u1: Popup while URL typing, blocked access across locally loaded frames

Hello Debian users,

due to the recent security advisory, I have just installed the updated
`firefox-esr` package. This caused three things:

1. In the running browser, I could no longer open tabs
   (it said something like the tab crashed).
   This was fixed by restarting the browser.

2. When attempting to type an URL, a large box appeared below
   the URL bar. I was able to reduce it to a small bar by
   applying this about:config tweak:

	browser.urlbar.maxRichResults = 0

   Jet I wonder, if it might be possible to remove the appearing
   bar altogether? Has anyone been hit by this as well and found
   a more complete solution than said about:config tweak?
   (The idea is, that it is quite distracting to have anything
   beyond the cursor move when typing?)

3. This might not be fixable, but possibly someone has had the
   same issue and found a way: I am using a home-grown local XHTML
   page which loads other HTML pages in iframes. These iframes
   communicate with the outer page by using a JavaScript snippet
   as follows:

   <script type="text/javascript">
   	// <![CDATA[
   	parent.parseIntoDB(document.getElementsByTagName("body")[0], "j3d");
   	// ]]>

   Where `parseIntoDB` is a function defined in the outer document
   that is intended to process data from the iframe. The whole thing
   is a substitute for XHR access from the times where XHR was only
   working if one had a Webserver. I have long intended to replace that
   whole construct but haven't yet got around to fixing it -- it isn't
   exactly easy although the current variant is less than 400 lines of
   code. (Main reason for diffculties in replacing is that newer
   implementations should be "less hacky" which will need about twice
   or three times the amount of code :) )

   In any case, since the most recent Firefox update, I get the following
   error in the Firefox console:

   SecurityError: Permission denied to access property "parseIntoDB" on cross-origin object j3d.html:716
       <anonymous> file:///usr/share/mdvl/ial/data/j3d.html:716

   So it is basically telling me "Permission denied" for my locally
   installed page? developer.mozilla.org has this:
   where it says:

   | There was attempt to access an object for which you have no permission.
   | This is likely an <iframe> element loaded from a different domain for
   | which you violated the same-origin policy.

   Until ``from a different domain'' I follow, but then it says
   something about ``violated the same-origin policy''. As both pages, the
   outer and the inner one are served from my local filesystem, I would
   expect that the same-origin policy is not ``violated'' in any way?

   Is there any chance that the old behaviour can be restored? Might it
   qualify for a bug report? I am wondering if the observed behaviour
   matches the documentation or if what I am seeing is more restrictive
   than it should be?

   In case it could be a bug, I will happily put together a sort of
   minimal example that demonstrates the problem.

   Btw. the same page has up to today never worked with Chromium-based
   browsers and also triggers some kind of error in their console which
   is along the lines of the new Firefox... that has been one of the
   major reasons for me to keep using Firefox all the time :)

   I just checked and found a workaround: Running a local server
   (s.t. the files are accessed through rather than
   file://) fixes the issue for now. It still seems strange that this
   would make a difference?

Thanks in advance

Reply to: