Issue 1962 in google-caja: untame({}) breaks for-in on Firefox 37, 38 beta
1 view
Skip to first unread message
googl...@googlecode.com
Apr 6, 2015, 7:26:57 PM4/6/15
to google-ca...@googlegroups.com
Status: New
Owner: kpr...@google.com
Labels: Type-Defect Priority-High Component-SES
New issue 1962 by kpr...@google.com: untame({}) breaks for-in on Firefox
37, 38 beta
https://code.google.com/p/google-caja/issues/detail?id=1962
Firefox 37 and 38.0 beta.
var o = frame.untame(frame.iframe.contentWindow.eval('({})'));
for (var x in o) {}
The for loop throws "TypeError: undefined is not a function". This
shouldn't even be possible (without proxies, and there aren't any proxies
here), so it's probably a browser bug.
Any untame()d record object exhibits the problem. The unsafe eval is just
to have less machinery involved.
Other language meta-operations (e.g. getOwnPropertyNames) on the object
work normally.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: kpr...@google.com
Labels: Type-Defect Priority-High Component-SES
New issue 1962 by kpr...@google.com: untame({}) breaks for-in on Firefox
37, 38 beta
https://code.google.com/p/google-caja/issues/detail?id=1962
Firefox 37 and 38.0 beta.
var o = frame.untame(frame.iframe.contentWindow.eval('({})'));
for (var x in o) {}
The for loop throws "TypeError: undefined is not a function". This
shouldn't even be possible (without proxies, and there aren't any proxies
here), so it's probably a browser bug.
Any untame()d record object exhibits the problem. The unsafe eval is just
to have less machinery involved.
Other language meta-operations (e.g. getOwnPropertyNames) on the object
work normally.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
googl...@googlecode.com
Apr 8, 2015, 3:06:58 PM4/8/15
to google-ca...@googlegroups.com
Comment #1 on issue 1962 by kpr...@google.com: untame({}) breaks for-in on
Further debugging says:
• The taming membrane is not actually involved at all; simply looping on an
object constructed in the SES frame, from the outer frame, is sufficient.
• If I load SES in a frame (not the rest of Caja), then the problem occurs.
If I disable the root call to clean() in startSES, then it does not.
googl...@googlecode.com
Apr 8, 2015, 5:16:34 PM4/8/15
to google-ca...@googlegroups.com
Updates:
Owner: eri...@google.com
Comment #2 on issue 1962 by kpr...@google.com: untame({}) breaks for-in on
I instrumented cleanProperty to check for the problem before and after each
deletion. It indicated the problem being at
cajaVM.anonIntrinsics.IteratorPrototype.next.
If I whitelist this property as '*', then the problem goes away.
I turn this over to MarkM to determine whether this is a bug in Firefox
that it cares about the property, or something we need to support for
ES6-world.
Owner: eri...@google.com
Comment #2 on issue 1962 by kpr...@google.com: untame({}) breaks for-in on
I instrumented cleanProperty to check for the problem before and after each
deletion. It indicated the problem being at
cajaVM.anonIntrinsics.IteratorPrototype.next.
If I whitelist this property as '*', then the problem goes away.
I turn this over to MarkM to determine whether this is a bug in Firefox
that it cares about the property, or something we need to support for
ES6-world.
googl...@googlecode.com
Apr 8, 2015, 5:40:25 PM4/8/15
to google-ca...@googlegroups.com
Comment #3 on issue 1962 by eri...@google.com: untame({}) breaks for-in on
This is a bug in Firefox. for/of must depend on .next and break if you
delete it. for/in must not.
googl...@googlecode.com
Apr 8, 2015, 5:42:27 PM4/8/15
to google-ca...@googlegroups.com
Comment #4 on issue 1962 by kpr...@google.com: untame({}) breaks for-in on
OK. Can you take care of reporting it?
(Oh, also note that it only occurs cross-frame; for-in does not throw when
evaluated in the frame which has had the property deleted.)
Reply all
Reply to author
Forward
0 new messages