Firefox 3.5 - Security error" code: "1000" - NS_ERROR_DOM_SECURITY_ERR

Bug #473677 reported by Charles Curley on 2009-11-04
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Confirmed
Medium
firefox-3.5 (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: firefox

Firefox 3.5 fails to operated correctly on this page: http://legisweb.state.wy.us/statutes/constitution.aspx Konqueror runs it just fine, as does FF 3.0 on Jaunty.

In general, it should be possible to click on a title in the left frame, and see that title in the right hand frame. FF 3.5 does not show the text of the title.

--------------------------------------------------
ccurley@dragon:~/Desktop$ pre firefox konqueror | sort
firefox-3.5-3.5.4+nobinonly-0ubuntu0.9.10.1--i386
firefox-3.5.4+nobinonly-0ubuntu0.9.10.1--all
firefox-3.5-branding-3.5.4+nobinonly-0ubuntu0.9.10.1--i386
firefox-3.5-gnome-support-3.5.4+nobinonly-0ubuntu0.9.10.1--i386
firefox-gnome-support-3.5.4+nobinonly-0ubuntu0.9.10.1--all
konqueror-4:4.3.2-0ubuntu3--i386
konqueror-nsplugins-4:4.3.2-0ubuntu3--i386
ccurley@dragon:~/Desktop$
--------------------------------------------------

I have seen similar failure elsewhere, and will add them here as I remember them.

I work as webdesigner and i re-create a js library with Domscripting of J. Sambells.
With safari is well but with ff thereis a little mistake:
error firefox
DOM cssRule
pour verification compatibilité avec soit ff soit msie.
Security error" code: "1000
[Break on this error] var rules = styleSheets[i].cssRules || styleSheets[i].rules;\n

Created attachment 273236
testcase

Bug 365772 is a bit related.
When cookies are denied, then storage is throwing errors when trying to access it, while document.cookie just returns an empty string.

http://www.whatwg.org/specs/web-apps/current-work/#security5
"
Treating persistent storage as cookies: user agents may present the persistent storage feature to the user in a way that does not distinguish it from HTTP session cookies. [RFC2965]
"
You could read that as "storage functions should not throw security errrors when cookie functions aren't doing it either", I guess. Although I suspect that part is more talking about the UI or something.

What is the cause of the security exception? Is this because it is trying to access the storage of a different domain? The spec says that doing this "must then raise a security exception." although it doesn't currently define what a "security exception" is.

Sorry, the testcase was made for http://localhost use.
If you then block cookies from localhost, you get the mentioned security errors when trying to access globalStorage['localhost.localDomain'].
This doesn't happen with cookies. You just seem to get an empty string returned when trying to get/set a cookie.

I don't think this is just related to bug 365772, I think this is bug 365772. I've encountered this problem on the cnn video site and when I set my cookie setting to "keep until they expire", cnn's video worked... see bug 442605.

I got this error today when I was testing the tryserver build from https://bugzilla.mozilla.org/show_bug.cgi?id=460346#c4.

Binary package hint: firefox

Firefox 3.5 fails to operated correctly on this page: http://legisweb.state.wy.us/statutes/constitution.aspx Konqueror runs it just fine, as does FF 3.0 on Jaunty.

In general, it should be possible to click on a title in the left frame, and see that title in the right hand frame. FF 3.5 does not show the text of the title.

--------------------------------------------------
ccurley@dragon:~/Desktop$ pre firefox konqueror | sort
firefox-3.5-3.5.4+nobinonly-0ubuntu0.9.10.1--i386
firefox-3.5.4+nobinonly-0ubuntu0.9.10.1--all
firefox-3.5-branding-3.5.4+nobinonly-0ubuntu0.9.10.1--i386
firefox-3.5-gnome-support-3.5.4+nobinonly-0ubuntu0.9.10.1--i386
firefox-gnome-support-3.5.4+nobinonly-0ubuntu0.9.10.1--all
konqueror-4:4.3.2-0ubuntu3--i386
konqueror-nsplugins-4:4.3.2-0ubuntu3--i386
ccurley@dragon:~/Desktop$
--------------------------------------------------

I have seen similar failure elsewhere, and will add them here as I remember them.

Charles Curley (charlescurley) wrote :

This bug may be related to https://bugs.launchpad.net/ubuntu/+source/firefox-3.5/+bug/399380, "comcastsupport.com web chat works with firefox-3.0, doesn't work with firefox-3.5". I tried the profile trick in comment 2. No joy.

Here is the site I tested:
http://legisweb.state.wy.us/statutes/constitution.aspx

Same NS_ERROR_DOM_SECURITY_ERR error with same security code.
I can confirm this on Firefox 3.5.4:
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4) Gecko/20091028 Ubuntu/9.10 (karmic) Firefox/3.5.4
and
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4
and r26510
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5pre) Gecko/20091031 Ubuntu/9.10 (karmic) Shiretoko/3.5.5pre

This seems to be fixed in 3.6 Beta 1 Build 3

Ubuntu Bug:
https://bugs.launchpad.net/bugs/473677

Thank you for your bug report. This bug has been reported to the developers of the software. You can track it and make comments at: https://bugzilla.mozilla.org/show_bug.cgi?id=389002

Moving to Firefox 3.5 for Triage. I can confirm this is broke in Firefox 3.6, but this is Fixed in Firefox 3.6 Beta 1

affects: firefox (Ubuntu) → firefox-3.5 (Ubuntu)
Changed in firefox-3.5 (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
summary: - Firefox 3.5 (Karmic) fails on known working web page
+ Firefox 3.5 - Security error" code: "1000" - NS_ERROR_DOM_SECURITY_ERR
Changed in firefox:
status: Unknown → Confirmed
Micah Gersten (micahg) wrote :

Oops, meant to say broke with Firefox 3.5 and fixed in 3.6

description: updated
tags: added: cssrule ruledom
Changed in firefox:
importance: Unknown → Medium

Well, CNN video now plays with my third-party cookies turned off, or with the lifetime set to "Ask every time" and me selecting "For session". However, given that this bug is 3 years old, that could be due to changes on CNN.com

But, I can still get the error if I do something that tries to set a cookie from javascript while the "Ask every time" setting is on (lifetimePolicy = 1).

Couple of examples after clearing out all of my cnn.com cookies and loading http://edition.cnn.com:

Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "http://i.cdn.turner.com/cnn/.element/js/3.0/StorageManager.js?20100728 Line: 345"]

This is line 345 of that js:
                return (window.localStorage && (window.localStorage!=null));

The page then prompts me if I want it to make the International Edition my default. If I press Yes or No, I get a similar error:

Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "http://i.cdn.turner.com/cnn/.element/js/3.0/s_code.intl.js Line: 521"]

The cookie that stores the default edition is set, but the prompt to make a selection does not go away. s_code.intl.js (or s_code.js on the US site) is Omniture, and there's no telling from their mangled javascript what that's trying to do, but I don't see a reference to localStorage anywhere in that javascript.

I've tried several times back and forth and have confirmed that the above errors only happen when I have the cookie lifetime policy set to '1' (Ask me every time).

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

(In reply to comment #7)
>
> But, I can still get the error if I do something that tries to set a cookie
> from javascript while the "Ask every time" setting is on (lifetimePolicy = 1).
>

Sorry, that was misleading. I was speculating before I looked at the js, but in the one case it's trying to access window.localStorage and in other case (the Omniture js) I can't tell what it's trying to do, though Omniture is known to get invoked (to send a usage data back to their servers via AJAX) in response to clicking a hyperlink.

We are experiencing the same problem in Firebug.
Test case + more details here:
http://code.google.com/p/fbug/issues/detail?id=3805

Honza

This is reproducible on the webtogs website:

http://www.webtogs.co.uk/Icebreaker_Long_Sleeve_Base_Layers__0/

with 3rd party cookies set to "ask me every time".

Setting to "until they expire" results in the site working.

The error reported in the console is:

Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "http://cdn.webtogs.com/js/mootools-1.2.5-core-yc.js Line: 24"]

This bug was supposedly fixed in 3.6, but it's still there in 4.0. I can reproduce it with the following code:

        if (localStorage) {
            alert("yes")
        } else {
            alert("no")
        }

If cookies are disabled, I get a "security error code 1000", regardless of whether local storage is enabled or not.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.