Page MenuHomePhabricator
Create Task
Maniphest T258256

OOUI window management broken on pages with with additional frames, due to cross document access
Closed, ResolvedPublic
Actions

Description

When we click on Edit to edit a template content (like an infobox) in an article with Firefox, nothing happens and we get this error three times in the console:

Uncaught DOMException: Permission denied to access property "ownerDocument" on cross-origin object load.php:354

With debug=on, we get these three errors:

Uncaught DOMException: Permission denied to access property "ownerDocument" on cross-origin object Element.js:301
    getDocument Element.js:301
    getDimensions Element.js:462
    getSize Window.js:216
    getSizeProperties Window.js:236
    fitLabel ProcessDialog.js:263
    emit jQuery
    setLabel LabelElement.js:171
    getSetupProcess Dialog.js:233
    proceed Process.js:62
    jQuery 2


Uncaught DOMException: Permission denied to access property "ownerDocument" on cross-origin object Element.js:301
    getDocument Element.js:301
    getDimensions Element.js:462
    getSize Window.js:216
    getSizeProperties Window.js:236
    fitLabel ProcessDialog.js:263
    emit jQuery
    setLabel LabelElement.js:171
    updateTitle ve.ui.MWTemplateDialog.js:319
    updateTitle ve.ui.MWTransclusionDialog.js:250
    onReplacePart ve.ui.MWTemplateDialog.js:154
    onReplacePart ve.ui.MWTransclusionDialog.js:165
    emit jQuery
    process ve.dm.MWTransclusionModel.js:237
    fetchRequestAlways ve.dm.MWTransclusionModel.js:365
    <anonyme> self-hosted:948
    jQuery 3
    xhr index.js:273
    jQuery 4


Uncaught DOMException: Permission denied to access property "ownerDocument" on cross-origin object Element.js:301
    getDocument Element.js:301
    getDimensions Element.js:462
    getSize Window.js:216
    updateWindowSize WindowManager.js:707
    updateSize Window.js:454
    setSize Window.js:438
    setMode ve.ui.MWTransclusionDialog.js:231
    getSetupProcess ve.ui.MWTransclusionDialog.js:384
    proceed Process.js:62
    jQuery 2

It may be linked to T254693.

Details

ProjectBranchLines +/-Subject
mediawiki/coremaster+1 K -4 KUpdate OOUI to v0.40.0
mediawiki/corewmf/1.36.0-wmf.1+6 -6OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df
mediawiki/corewmf/1.35.0-wmf.41+6 -6OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df
mediawiki/coreREL1_35+6 -6OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df
mediawiki/coremaster+6 -6OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df
oojs/uimaster+26 -8Element: Avoid crash when getDocument() is called with `window`
Customize query in gerrit

Related Objects

Event Timeline

The_RedBurn created this task.Jul 17 2020, 10:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 17 2020, 10:22 AM
matmarex added subscribers: Esanders, matmarex.Jul 17 2020, 10:52 AM

I can't reproduce this. Does it happen for you on every page, or only on some specific pages? (which ones?)

The exception stack trace looks like it might be caused by https://gerrit.wikimedia.org/r/c/oojs/ui/+/605241… In getDimensions(), we previously used el.ownerDocument || el.document, now we call getDocument() which also checks obj[ 0 ].ownerDocument (unnecessarily in this case) and the exception is coming from that line.

The_RedBurn renamed this task from Infobox editor doesn't work on Firefox to Infobox editor doesn't work with Firefox.Jul 17 2020, 10:55 AM
The_RedBurn added a comment.Jul 17 2020, 11:14 AM

Indeed, I can't reproduce it with a new Firefox profile but I can in a private window.
It happens on every page.
There is one other user who reported a similar problem with Firefox: https://www.wikidata.org/wiki/Wikidata:Project_chat#Merge_gadget_with_not_functioning_for_me_in_Firefox_78

The_RedBurn added a comment.Jul 17 2020, 11:49 AM

It's caused by the extension Google Translator https://addons.mozilla.org/fr/firefox/addon/google-translator-webextension/

What is strange is that:

  • this extension was last updated on July 17, 2019 (not 2020)
  • Firefox (78.0.2) was last updated on July 9, 2020
  • I successfully edited an infobox 2 days ago - but can't edit that one now
The_RedBurn mentioned this in T258090: Kartographer map does not open on it.wikivoyage.org: "Blocked a frame from accessing a cross-origin frame".Jul 17 2020, 1:30 PM
TheDJ added a subscriber: TheDJ.EditedJul 17 2020, 1:46 PM

@matmarex Got it. In these cases obj is the window object (window.resize event ?). obj[0] == a global object and then global.ownerDocument throws the exception.

It is reproducible on pages with multiple documents (aka has an additional frame) like: https://it.wikivoyage.org/wiki/Firenze

https://developer.mozilla.org/en-US/docs/Web/API/Window
window[0], window[1], etc.
Returns a reference to the window object in the frames. See Window.frames for more details.

TheDJ added projects: OOUI, Regression.Jul 17 2020, 2:04 PM
TheDJ merged a task: T258254: Merge not working in Wikidata with Firefox.Jul 17 2020, 2:07 PM
TheDJ merged a task: T258090: Kartographer map does not open on it.wikivoyage.org: "Blocked a frame from accessing a cross-origin frame".
TheDJ added a subscriber: Andyrom75.
TheDJ renamed this task from Infobox editor doesn't work with Firefox to OOUI window management broken on pages with with additional frames, due to cross document access.Jul 17 2020, 2:09 PM
Andyrom75 added a comment.EditedJul 18 2020, 8:55 AM

@TheDJ, the problem in T258090 occurs even if I simply execute:

$.get('//wikivoyage.toolforge.org/w/poimap2.php');

that is the resource involved in MediaWiki:Gadget-MapFrame.js, as you can see the instruction do not use a frame.

The error I got is:

Access to XMLHttpRequest at 'https://wikivoyage.toolforge.org/w/poimap2.php' from origin 'https://it.wikivoyage.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
load.php?lang=it&modules=jquery%2Coojs-ui-core%2Coojs-ui-widgets|jquery.ui&skin=vector&version=2p8ww:133 GET https://wikivoyage.toolforge.org/w/poimap2.php net::ERR_FAILED

There's no way to solve the root of the CORS policy issue?

Andyrom75 added a comment.Jul 19 2020, 8:18 AM
This comment was removed by Andyrom75.
gerritbot added a comment.Jul 20 2020, 6:12 PM

Change 614821 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[oojs/ui@master] Element: Avoid crash when getDocument() is called with window

https://gerrit.wikimedia.org/r/614821

gerritbot added a project: Patch-For-Review.Jul 20 2020, 6:12 PM
matmarex added a project: MW-1.35-release.Jul 20 2020, 6:14 PM

I think this fix needs to be backported to WMF wikis and to MediaWiki 1.35.

gerritbot added a comment.Jul 20 2020, 6:33 PM

Change 614821 merged by jenkins-bot:
[oojs/ui@master] Element: Avoid crash when getDocument() is called with window

https://gerrit.wikimedia.org/r/614821

Maintenance_bot removed a project: Patch-For-Review.Jul 20 2020, 7:10 PM
gerritbot added a comment.Jul 20 2020, 8:03 PM

Change 614852 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@master] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/614852

gerritbot added a project: Patch-For-Review.Jul 20 2020, 8:03 PM
matmarex added subscribers: Volker_E, Jdforrester-WMF.Jul 20 2020, 8:04 PM
Tacsipacsi added a subscriber: Tacsipacsi.Jul 21 2020, 7:13 PM
In T258256#6316640, @Andyrom75 wrote:

There's no way to solve the root of the CORS policy issue?

https://wikitech.wikimedia.org/wiki/Help:Toolforge/Web/Lighttpd#Header,_mimetype,_character_encoding,_error_handler

By the way, please set a description for the tool—https://admin.toolforge.org/tool/wikivoyage shows hardly any information, so I couldn’t find the source code without the toolsadmin (accessible with the “manage maintainers” link), which requires LDAP login, and thus excludes the majority of people who don’t have an LDAP account.

Andyrom75 added a comment.Jul 21 2020, 7:40 PM

@Tacsipacsi inside wikivoyage there is a set of script develped few years ago by a user not anymore active. Recently I got access to this tool because some of them do not work properly anymore. If you tell me what to do I'll be glad to support.

TheDJ added a comment.Jul 21 2020, 8:17 PM
In T258256#6323852, @Tacsipacsi wrote:
In T258256#6316640, @Andyrom75 wrote:

There's no way to solve the root of the CORS policy issue?

https://wikitech.wikimedia.org/wiki/Help:Toolforge/Web/Lighttpd#Header,_mimetype,_character_encoding,_error_handler

Let me note that CORS is not a 'problem'. It's a mechanism by which webpage/JS/CSS authors can indicate which resources are safe for including in other resources. A bug tripped it by doing something NOT safe (and that is why things stopped working). CORS is not something to bypass, it is something to carefully configure as a web developer. Because of the recent toolsforge domain change there have been several CORS problems recently, but this one was completely unrelated. We just got confused around what exactly was tripping this due to it happening at the exact same time as the other issues. But the problem has been identified now and will be fixed soon.

gerritbot added a comment.Jul 21 2020, 11:53 PM

Change 614852 merged by jenkins-bot:
[mediawiki/core@master] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/614852

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.2; 2020-07-28).Jul 22 2020, 12:02 AM
Maintenance_bot removed a project: Patch-For-Review.Jul 22 2020, 12:10 AM
gerritbot added a comment.Jul 22 2020, 2:49 PM

Change 615432 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@REL1_35] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615432

gerritbot added a project: Patch-For-Review.Jul 22 2020, 2:49 PM
gerritbot added a comment.Jul 22 2020, 3:00 PM

Change 615432 merged by jenkins-bot:
[mediawiki/core@REL1_35] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615432

ReleaseTaggerBot added a project: MW-1.35-notes.Jul 22 2020, 3:00 PM
gerritbot added a comment.Jul 22 2020, 3:34 PM

Change 615433 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@wmf/1.35.0-wmf.41] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615433

gerritbot added a comment.Jul 22 2020, 3:35 PM

Change 615434 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@wmf/1.36.0-wmf.1] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615434

matmarex added a comment.Jul 22 2020, 3:38 PM

Scheduled deployment on Wikimedia wikis: https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20200722T1800

gerritbot added a comment.Jul 22 2020, 6:24 PM

Change 615433 merged by jenkins-bot:
[mediawiki/core@wmf/1.35.0-wmf.41] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615433

gerritbot added a comment.Jul 22 2020, 6:24 PM

Change 615434 merged by jenkins-bot:
[mediawiki/core@wmf/1.36.0-wmf.1] OOUI: Backport I3d88853fdf9915d2b08063c80ecaf7d92828a5df

https://gerrit.wikimedia.org/r/615434

Tacsipacsi added a comment.Jul 22 2020, 6:51 PM
In T258256#6323919, @Andyrom75 wrote:

@Tacsipacsi inside wikivoyage there is a set of script develped few years ago by a user not anymore active. Recently I got access to this tool because some of them do not work properly anymore. If you tell me what to do I'll be glad to support.

Probably at https://toolsadmin.wikimedia.org/tools/id/wikivoyage/info/id/323/edit? There’s a source code field there, but I’m not sure why the description specified there doesn’t show up https://admin.toolforge.org/tool/wikivoyage.

In T258256#6324109, @TheDJ wrote:

Let me note that CORS is not a 'problem'.

No, CORS itself is not a problem. But I don’t see how could allowing CORS requests coming from—and only from—Wikimedia wikis cause a security issue. Any JavaScript running on Wikimedia wikis is either by trusted interface admins, or by the user themselves.

ReleaseTaggerBot edited projects, added MW-1.36-notes (1.36.0-wmf.1; 2020-07-21), MW-1.35-notes (1.35.0-wmf.41; 2020-07-14); removed MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.2; 2020-07-28).Jul 22 2020, 7:00 PM
matmarex closed this task as Resolved.Jul 22 2020, 7:57 PM
matmarex claimed this task.
matmarex removed a project: Patch-For-Review.

This should be resolved now.

Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptJul 22 2020, 7:57 PM
matmarex added a comment.Jul 22 2020, 7:59 PM

@Andyrom75 I don't really understand how your issue is related to this, to be honest. It seems like an unrelated problem to me.

gerritbot added a comment.Jul 31 2020, 2:31 AM

Change 617589 had a related patch set uploaded (by VolkerE; owner: VolkerE):
[mediawiki/core@master] Update OOUI to v0.40.0

https://gerrit.wikimedia.org/r/617589

gerritbot added a project: Patch-For-Review.Jul 31 2020, 2:31 AM
gerritbot added a comment.Aug 5 2020, 9:56 PM

Change 617589 abandoned by Jforrester:
[mediawiki/core@master] Update OOUI to v0.40.0

Reason:
Going straight to 0.40.1.

https://gerrit.wikimedia.org/r/617589

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL