Bug 798565 - touch.target may point to native anonymous content, r=jst,wesj
authorOlli Pettay <Olli.Pettay@helsinki.fi>
Wed, 10 Oct 2012 22:13:59 +0300
changeset 109911 99898ec9976a24f130d3eabf64762797e45f9543
parent 109910 24783c876df0fc5d2781254a32e7862305996bdd
child 109912 21e0f119b3d6e13e75db3c9c4bd86661ac1499ab
child 109944 2fae8bd461da5dfa903d21a6a8b2d1af6c24d222
push id16266
push usereakhgari@mozilla.com
push dateThu, 11 Oct 2012 00:21:19 +0000
treeherdermozilla-inbound@21e0f119b3d6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjst, wesj
bugs798565
milestone19.0a1
first release with
nightly linux32
99898ec9976a / 19.0a1 / 20121011030552 / files
nightly linux64
99898ec9976a / 19.0a1 / 20121011030552 / files
nightly mac
99898ec9976a / 19.0a1 / 20121011030552 / files
nightly win32
99898ec9976a / 19.0a1 / 20121011030552 / files
nightly win64
99898ec9976a / 19.0a1 / 20121011030552 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 798565 - touch.target may point to native anonymous content, r=jst,wesj
content/events/src/nsDOMTouchEvent.cpp
content/events/test/test_bug603008.html
--- a/content/events/src/nsDOMTouchEvent.cpp
+++ b/content/events/src/nsDOMTouchEvent.cpp
@@ -32,16 +32,23 @@ nsDOMTouch::GetIdentifier(int32_t* aIden
 {
   *aIdentifier = mIdentifier;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsDOMTouch::GetTarget(nsIDOMEventTarget** aTarget)
 {
+  nsCOMPtr<nsIContent> content = do_QueryInterface(mTarget);
+  if (content && content->ChromeOnlyAccess() &&
+      !nsContentUtils::CanAccessNativeAnon()) {
+    content = content->FindFirstNonChromeOnlyAccessContent();
+    *aTarget = content.forget().get();
+    return NS_OK;
+  }
   NS_IF_ADDREF(*aTarget = mTarget);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsDOMTouch::GetScreenX(int32_t* aScreenX)
 {
   *aScreenX = mScreenPoint.x;
@@ -309,17 +316,17 @@ nsDOMTouchEvent::GetTargetTouches(nsIDOM
   nsTouchEvent* touchEvent = static_cast<nsTouchEvent*>(mEvent);
   nsTArray<nsCOMPtr<nsIDOMTouch> > touches = touchEvent->touches;
   for (uint32_t i = 0; i < touches.Length(); ++i) {
     // for touchend/cancel events, don't append to the target list if this is a
     // touch that is ending
     if ((mEvent->message != NS_TOUCH_END &&
          mEvent->message != NS_TOUCH_CANCEL) || !touches[i]->mChanged) {
       nsIDOMEventTarget* targetPtr = touches[i]->GetTarget();
-      if (targetPtr == mEvent->target) {
+      if (targetPtr == mEvent->originalTarget) {
         targetTouches.AppendElement(touches[i]);
       }
     }
   }
   mTargetTouches = new nsDOMTouchList(targetTouches);
   return CallQueryInterface(mTargetTouches, aTargetTouches);
 }
 
--- a/content/events/test/test_bug603008.html
+++ b/content/events/test/test_bug603008.html
@@ -491,34 +491,63 @@ function testRemovingElement() {
   target.removeEventListener("touchmove", checkTarget, false);
   target.removeEventListener("touchend", checkTarget, false);
 
   is(touchEvents, 2, "Check target was called twice");
 
   nextTest();
 }
 
+function testNAC() {
+  let cwu = SpecialPowers.getDOMWindowUtils(window);
+  let target = document.getElementById("testTarget3");
+  let bcr = target.getBoundingClientRect();
+
+  let touch1 = new testtouch({
+    page: {x: Math.round(bcr.left + bcr.width/2),
+           y: Math.round(bcr.top  + bcr.height/2)},
+    target: target
+  });
+  let event = new touchEvent({
+    touches: [touch1],
+    targetTouches: [touch1],
+    changedTouches: [touch1]
+  });
+
+  // test touchstart event fires correctly
+  var checkFunction = checkEvent(event);
+  window.addEventListener("touchstart", checkFunction, false);
+  sendTouchEvent(cwu, "touchstart", event, 0);
+  window.removeEventListener("touchstart", checkFunction, false);
+
+  sendTouchEvent(cwu, "touchend", event, 0);
+
+  nextTest();
+}
+
 function doTest() {
   tests.push(testSingleTouch);
   tests.push(testSingleTouch2);
   tests.push(testMultiTouch);
   tests.push(testPreventDefault);
   tests.push(testTouchChanged);
   tests.push(testRemovingElement);
+  tests.push(testNAC);
 
   tests.push(function() {
     SimpleTest.finish();
   });
 
   nextTest();
 }
 
 SimpleTest.waitForExplicitFinish();
 addLoadEvent(doTest);
 
 </script>
 </pre>
 <div id="parent">
   <span id="testTarget" style="padding: 5px; border: 1px solid black;">testTarget</span>
   <span id="testTarget2" style="padding: 5px; border: 1px solid blue;">testTarget</span>
+  <input type="text" id="testTarget3">
 </div>
 </body>
 </html>