firefox-esr update to 68.2.0esr-1~deb10u1: Popup while URL typing, blocked access across locally loaded frames
Hello Debian users,
due to the recent security advisory, I have just installed the updated
`firefox-esr` package. This caused three things:
1. In the running browser, I could no longer open tabs
(it said something like the tab crashed).
This was fixed by restarting the browser.
2. When attempting to type an URL, a large box appeared below
the URL bar. I was able to reduce it to a small bar by
applying this about:config tweak:
browser.urlbar.maxRichResults = 0
Jet I wonder, if it might be possible to remove the appearing
bar altogether? Has anyone been hit by this as well and found
a more complete solution than said about:config tweak?
(The idea is, that it is quite distracting to have anything
beyond the cursor move when typing?)
3. This might not be fixable, but possibly someone has had the
same issue and found a way: I am using a home-grown local XHTML
page which loads other HTML pages in iframes. These iframes
communicate with the outer page by using a JavaScript snippet
as follows:
<script type="text/javascript">
// <![CDATA[
parent.parseIntoDB(document.getElementsByTagName("body")[0], "j3d");
// ]]>
</script>
Where `parseIntoDB` is a function defined in the outer document
that is intended to process data from the iframe. The whole thing
is a substitute for XHR access from the times where XHR was only
working if one had a Webserver. I have long intended to replace that
whole construct but haven't yet got around to fixing it -- it isn't
exactly easy although the current variant is less than 400 lines of
code. (Main reason for diffculties in replacing is that newer
implementations should be "less hacky" which will need about twice
or three times the amount of code :) )
In any case, since the most recent Firefox update, I get the following
error in the Firefox console:
SecurityError: Permission denied to access property "parseIntoDB" on cross-origin object j3d.html:716
<anonymous> file:///usr/share/mdvl/ial/data/j3d.html:716
So it is basically telling me "Permission denied" for my locally
installed page? developer.mozilla.org has this:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Property_access_denied
where it says:
| There was attempt to access an object for which you have no permission.
| This is likely an <iframe> element loaded from a different domain for
| which you violated the same-origin policy.
Until ``from a different domain'' I follow, but then it says
something about ``violated the same-origin policy''. As both pages, the
outer and the inner one are served from my local filesystem, I would
expect that the same-origin policy is not ``violated'' in any way?
Is there any chance that the old behaviour can be restored? Might it
qualify for a bug report? I am wondering if the observed behaviour
matches the documentation or if what I am seeing is more restrictive
than it should be?
In case it could be a bug, I will happily put together a sort of
minimal example that demonstrates the problem.
Btw. the same page has up to today never worked with Chromium-based
browsers and also triggers some kind of error in their console which
is along the lines of the new Firefox... that has been one of the
major reasons for me to keep using Firefox all the time :)
I just checked and found a workaround: Running a local server
(s.t. the files are accessed through 127.0.0.1 rather than
file://) fixes the issue for now. It still seems strange that this
would make a difference?
Thanks in advance
Linux-Fan
Reply to: