Page MenuHomePhabricator

OOUI window management broken on pages with with additional frames, due to cross document access
Closed, ResolvedPublic

Description

When we click on Edit to edit a template content (like an infobox) in an article with Firefox, nothing happens and we get this error three times in the console:

Uncaught DOMException: Permission denied to access property "ownerDocument" on cross-origin object load.php:354

With debug=on, we get these three errors:

Uncaught DOMException: Permission denied to access property "ownerDocument" on cross-origin object Element.js:301
    getDocument Element.js:301
    getDimensions Element.js:462
    getSize Window.js:216
    getSizeProperties Window.js:236
    fitLabel ProcessDialog.js:263
    emit jQuery
    setLabel LabelElement.js:171
    getSetupProcess Dialog.js:233
    proceed Process.js:62
    jQuery 2


Uncaught DOMException: Permission denied to access property "ownerDocument" on cross-origin object Element.js:301
    getDocument Element.js:301
    getDimensions Element.js:462
    getSize Window.js:216
    getSizeProperties Window.js:236
    fitLabel ProcessDialog.js:263
    emit jQuery
    setLabel LabelElement.js:171
    updateTitle ve.ui.MWTemplateDialog.js:319
    updateTitle ve.ui.MWTransclusionDialog.js:250
    onReplacePart ve.ui.MWTemplateDialog.js:154
    onReplacePart ve.ui.MWTransclusionDialog.js:165
    emit jQuery
    process ve.dm.MWTransclusionModel.js:237
    fetchRequestAlways ve.dm.MWTransclusionModel.js:365
    <anonyme> self-hosted:948
    jQuery 3
    xhr index.js:273
    jQuery 4


Uncaught DOMException: Permission denied to access property "ownerDocument" on cross-origin object Element.js:301
    getDocument Element.js:301
    getDimensions Element.js:462
    getSize Window.js:216
    updateWindowSize WindowManager.js:707
    updateSize Window.js:454
    setSize Window.js:438
    setMode ve.ui.MWTransclusionDialog.js:231
    getSetupProcess ve.ui.MWTransclusionDialog.js:384
    proceed Process.js:62
    jQuery 2

It may be linked to T254693.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 17 2020, 10:22 AM

I can't reproduce this. Does it happen for you on every page, or only on some specific pages? (which ones?)

The exception stack trace looks like it might be caused by https://gerrit.wikimedia.org/r/c/oojs/ui/+/605241… In getDimensions(), we previously used el.ownerDocument || el.document, now we call getDocument() which also checks obj[ 0 ].ownerDocument (unnecessarily in this case) and the exception is coming from that line.

The_RedBurn renamed this task from Infobox editor doesn't work on Firefox to Infobox editor doesn't work with Firefox.Jul 17 2020, 10:55 AM

Indeed, I can't reproduce it with a new Firefox profile but I can in a private window.
It happens on every page.
There is one other user who reported a similar problem with Firefox: https://www.wikidata.org/wiki/Wikidata:Project_chat#Merge_gadget_with_not_functioning_for_me_in_Firefox_78

It's caused by the extension Google Translator https://addons.mozilla.org/fr/firefox/addon/google-translator-webextension/

What is strange is that:

  • this extension was last updated on July 17, 2019 (not 2020)
  • Firefox (78.0.2) was last updated on July 9, 2020
  • I successfully edited an infobox 2 days ago - but can't edit that one now
TheDJ added a subscriber: TheDJ.EditedJul 17 2020, 1:46 PM

@matmarex Got it. In these cases obj is the window object (window.resize event ?). obj[0] == a global object and then global.ownerDocument throws the exception.

It is reproducible on pages with multiple documents (aka has an additional frame) like: https://it.wikivoyage.org/wiki/Firenze

https://developer.mozilla.org/en-US/docs/Web/API/Window
window[0], window[1], etc.
Returns a reference to the window object in the frames. See Window.frames for more details.

TheDJ renamed this task from Infobox editor doesn't work with Firefox to OOUI window management broken on pages with with additional frames, due to cross document access.Jul 17 2020, 2:09 PM
Andyrom75 added a comment.EditedJul 18 2020, 8:55 AM

@TheDJ, the problem in T258090 occurs even if I simply execute:

$.get('//wikivoyage.toolforge.org/w/poimap2.php');

that is the resource involved in MediaWiki:Gadget-MapFrame.js, as you can see the instruction do not use a frame.

The error I got is:

Access to XMLHttpRequest at 'https://wikivoyage.toolforge.org/w/poimap2.php' from origin 'https://it.wikivoyage.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
load.php?lang=it&modules=jquery%2Coojs-ui-core%2Coojs-ui-widgets|jquery.ui&skin=vector&version=2p8ww:133 GET https://wikivoyage.toolforge.org/w/poimap2.php net::ERR_FAILED

There's no way to solve the root of the CORS policy issue?

This comment was removed by Andyrom75.

Change 614821 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[oojs/ui@master] Element: Avoid crash when getDocument() is called with window

https://gerrit.wikimedia.org/r/614821

I think this fix needs to be backported to WMF wikis and to MediaWiki 1.35.

Change 614821 merged by jenkins-bot:
[oojs/ui@master] Element: Avoid crash when getDocument() is called with window

https://gerrit.wikimedia.org/r/614821

Change 614852 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@master] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/614852

There's no way to solve the root of the CORS policy issue?

https://wikitech.wikimedia.org/wiki/Help:Toolforge/Web/Lighttpd#Header,_mimetype,_character_encoding,_error_handler

By the way, please set a description for the tool—https://admin.toolforge.org/tool/wikivoyage shows hardly any information, so I couldn’t find the source code without the toolsadmin (accessible with the “manage maintainers” link), which requires LDAP login, and thus excludes the majority of people who don’t have an LDAP account.

@Tacsipacsi inside wikivoyage there is a set of script develped few years ago by a user not anymore active. Recently I got access to this tool because some of them do not work properly anymore. If you tell me what to do I'll be glad to support.

TheDJ added a comment.Jul 21 2020, 8:17 PM

Let me note that CORS is not a 'problem'. It's a mechanism by which webpage/JS/CSS authors can indicate which resources are safe for including in other resources. A bug tripped it by doing something NOT safe (and that is why things stopped working). CORS is not something to bypass, it is something to carefully configure as a web developer. Because of the recent toolsforge domain change there have been several CORS problems recently, but this one was completely unrelated. We just got confused around what exactly was tripping this due to it happening at the exact same time as the other issues. But the problem has been identified now and will be fixed soon.

Change 614852 merged by jenkins-bot:
[mediawiki/core@master] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/614852

Change 615432 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@REL1_35] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615432

Change 615432 merged by jenkins-bot:
[mediawiki/core@REL1_35] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615432

Change 615433 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@wmf/1.35.0-wmf.41] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615433

Change 615434 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@wmf/1.36.0-wmf.1] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615434

Change 615433 merged by jenkins-bot:
[mediawiki/core@wmf/1.35.0-wmf.41] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615433

Change 615434 merged by jenkins-bot:
[mediawiki/core@wmf/1.36.0-wmf.1] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615434

@Tacsipacsi inside wikivoyage there is a set of script develped few years ago by a user not anymore active. Recently I got access to this tool because some of them do not work properly anymore. If you tell me what to do I'll be glad to support.

Probably at https://toolsadmin.wikimedia.org/tools/id/wikivoyage/info/id/323/edit? There’s a source code field there, but I’m not sure why the description specified there doesn’t show up https://admin.toolforge.org/tool/wikivoyage.

Let me note that CORS is not a 'problem'.

No, CORS itself is not a problem. But I don’t see how could allowing CORS requests coming from—and only from—Wikimedia wikis cause a security issue. Any JavaScript running on Wikimedia wikis is either by trusted interface admins, or by the user themselves.

matmarex closed this task as Resolved.Jul 22 2020, 7:57 PM
matmarex claimed this task.
matmarex removed a project: Patch-For-Review.

This should be resolved now.

Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptJul 22 2020, 7:57 PM

@Andyrom75 I don't really understand how your issue is related to this, to be honest. It seems like an unrelated problem to me.

Change 617589 had a related patch set uploaded (by VolkerE; owner: VolkerE):
[mediawiki/core@master] Update OOUI to v0.40.0

https://gerrit.wikimedia.org/r/617589

Change 617589 abandoned by Jforrester:
[mediawiki/core@master] Update OOUI to v0.40.0

Reason:
Going straight to 0.40.1.

https://gerrit.wikimedia.org/r/617589