mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-07 18:04:46 +00:00
Bug 1370630 - Untrusted submit event shouldn't trigger form submission; r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D28070
This commit is contained in:
parent
8059c3b59d
commit
c8284bad50
@ -243,6 +243,7 @@ skip-if = toolkit == 'android' # Bug 1312791
|
||||
[test_slotted_mouse_event.html]
|
||||
[test_slotted_text_click.html]
|
||||
[test_unbound_before_in_active_chain.html]
|
||||
[test_submitevent_on_form.html]
|
||||
[test_wheel_zoom_on_form_controls.html]
|
||||
skip-if = verify
|
||||
[test_focus_blur_on_click_in_cross_origin_iframe.html]
|
||||
|
41
dom/events/test/test_submitevent_on_form.html
Normal file
41
dom/events/test/test_submitevent_on_form.html
Normal file
@ -0,0 +1,41 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test submit event on form</title>
|
||||
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<form action="javascript:doDefault()" id="form">
|
||||
<input type="submit" value="Do Default Action">
|
||||
</form>
|
||||
<pre id="test">
|
||||
<script type="application/javascript">
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
SimpleTest.waitForFocus(runTests);
|
||||
|
||||
var doDefaultAction = false;
|
||||
|
||||
function doDefault()
|
||||
{
|
||||
doDefaultAction = true;
|
||||
}
|
||||
|
||||
async function runTests()
|
||||
{
|
||||
await SpecialPowers.pushPrefEnv({
|
||||
set: [["dom.forms.submit.trusted_event_only", true]],
|
||||
});
|
||||
|
||||
let form = document.getElementById("form");
|
||||
form.dispatchEvent(new Event('submit'));
|
||||
setTimeout(() => {
|
||||
ok(!doDefaultAction, "untrusted submit event shouldn't trigger form default action");
|
||||
SimpleTest.finish();
|
||||
});
|
||||
}
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
@ -46,6 +46,7 @@
|
||||
#include "mozilla/dom/FormDataEvent.h"
|
||||
#include "mozilla/dom/SubmitEvent.h"
|
||||
#include "mozilla/Telemetry.h"
|
||||
#include "mozilla/StaticPrefs_dom.h"
|
||||
#include "mozilla/StaticPrefs_prompts.h"
|
||||
#include "nsIFormSubmitObserver.h"
|
||||
#include "nsIObserverService.h"
|
||||
@ -505,9 +506,19 @@ void HTMLFormElement::UnbindFromTree(bool aNullParent) {
|
||||
ForgetCurrentSubmission();
|
||||
}
|
||||
|
||||
static bool CanSubmit(WidgetEvent& aEvent) {
|
||||
// According to the UI events spec section "Trusted events", we shouldn't
|
||||
// trigger UA default action with an untrusted event except click.
|
||||
// However, there are still some sites depending on sending untrusted event
|
||||
// to submit form, see Bug 1370630.
|
||||
return !StaticPrefs::dom_forms_submit_trusted_event_only() ||
|
||||
aEvent.IsTrusted();
|
||||
}
|
||||
|
||||
void HTMLFormElement::GetEventTargetParent(EventChainPreVisitor& aVisitor) {
|
||||
aVisitor.mWantsWillHandleEvent = true;
|
||||
if (aVisitor.mEvent->mOriginalTarget == static_cast<nsIContent*>(this)) {
|
||||
if (aVisitor.mEvent->mOriginalTarget == static_cast<nsIContent*>(this) &&
|
||||
CanSubmit(*aVisitor.mEvent)) {
|
||||
uint32_t msg = aVisitor.mEvent->mMessage;
|
||||
if (msg == eFormSubmit) {
|
||||
if (mGeneratingSubmit) {
|
||||
@ -544,7 +555,8 @@ void HTMLFormElement::WillHandleEvent(EventChainPostVisitor& aVisitor) {
|
||||
}
|
||||
|
||||
nsresult HTMLFormElement::PostHandleEvent(EventChainPostVisitor& aVisitor) {
|
||||
if (aVisitor.mEvent->mOriginalTarget == static_cast<nsIContent*>(this)) {
|
||||
if (aVisitor.mEvent->mOriginalTarget == static_cast<nsIContent*>(this) &&
|
||||
CanSubmit(*aVisitor.mEvent)) {
|
||||
EventMessage msg = aVisitor.mEvent->mMessage;
|
||||
if (msg == eFormSubmit) {
|
||||
// let the form know not to defer subsequent submissions
|
||||
|
@ -1870,6 +1870,12 @@
|
||||
value: false
|
||||
mirror: always
|
||||
|
||||
# Only trusted submit event could trigger form submission.
|
||||
- name: dom.forms.submit.trusted_event_only
|
||||
type: bool
|
||||
value: false
|
||||
mirror: always
|
||||
|
||||
# This pref just controls whether we format the number with grouping separator
|
||||
# characters when the internal value is set or updated. It does not stop the
|
||||
# user from typing in a number and using grouping separators.
|
||||
|
Loading…
Reference in New Issue
Block a user