Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recaptcha fails with script::dom::bindings::error, breaks many login pages #27820

Open
philip-lamb opened this issue Nov 25, 2020 · 9 comments
Open

Recaptcha fails with script::dom::bindings::error, breaks many login pages #27820

philip-lamb opened this issue Nov 25, 2020 · 9 comments

Comments

@philip-lamb
Copy link
Contributor

Servo local build from ce62f6f

Launch with ./mach run --release https://www.google.com/recaptcha/api2/demo.

Page loads. Click on "I'm not a robot" button. Spinner spins, but log shows:

ERROR script::dom::bindings::error] Error at :0:0 SecurityError: The operation is insecure.

multiple times, and spinner times out without enabling the "I'm not a robot" checkbox.

Related:
#22900
#24168
#25729
#17183
@jdm
Copy link
Member

jdm commented Nov 25, 2020 

* thread #82, stop reason = breakpoint 1.18
    frame #0: 0x000000010138b649 servo`script::dom::bindings::error::throw_dom_exception::h914c7c63f2666d79(cx=JSContext @ 0x0000700015ebb038, global=0x0000000132e46800, result=Error @ 0x0000700015ebb160) at error.rs:134:28
    frame #1: 0x0000000100a3cef1 servo`script::dom::windowproxy::throw_security_error::h1eca6b7cd007b707(cx=0x000000011536a800, realm=InRealm @ 0x0000700015ebb188) at windowproxy.rs:1086:9
    frame #2: 0x0000000100a3d2a7 servo`script::dom::windowproxy::has_xorigin::hc3a83c0ae789e476(cx=0x000000011536a800, proxy=Handle<*mut mozjs_sys::generated::root::JSObject> @ 0x0000700015ebb200, id=Handle<mozjs_sys::generated::root::JS::PropertyKey> @ 0x0000700015ebb210, bp=0x0000700015ebb3a7) at windowproxy.rs:1108:9
  * frame #3: 0x0000000100a3d35b servo`script::dom::windowproxy::get_xorigin::h84aa4df3b03704f8(cx=0x000000011536a800, proxy=Handle<*mut mozjs_sys::generated::root::JSObject> @ 0x0000700015ebb360, receiver=Handle<mozjs_sys::generated::root::JS::Value> @ 0x0000700015ebb370, id=Handle<mozjs_sys::generated::root::JS::PropertyKey> @ 0x0000700015ebb380, vp=MutableHandle<mozjs_sys::generated::root::JS::Value> @ 0x0000700015ebb390) at windowproxy.rs:1121:5
    frame #4: 0x00000001028c8c03 servo`WrapperProxyHandler::get(this=0x0000000132bbdbf0, cx=0x000000011536a800, proxy=JS::HandleObject @ 0x0000700015ebb478, receiver=JS::HandleValue @ 0x0000700015ebb470, id=JS::HandleId @ 0x0000700015ebb468, vp=JS::MutableHandleValue @ 0x0000700015ebb460) const at jsglue.cpp:363:5
    frame #5: 0x000000010299cbd0 servo`js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) [inlined] js::Proxy::getInternal(cx=0x000000011536a800, proxy=JS::HandleObject @ r12, receiver=<unavailable>, id=JS::HandleId @ r15, vp=JS::MutableHandleValue @ r14) at Proxy.cpp:332:19 [opt]
    frame #6: 0x000000010299cb89 servo`js::Proxy::get(cx=0x000000011536a800, proxy=JS::HandleObject @ r12, receiver_=<unavailable>, id=JS::HandleId @ r15, vp=JS::MutableHandleValue @ r14) at Proxy.cpp:340 [opt]
    frame #7: 0x00000001029a66e0 servo`js::ForwardingProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const at ObjectOperations-inl.h:114:12 [opt]
    frame #8: 0x00000001029a66bd servo`js::ForwardingProxyHandler::get(this=<unavailable>, cx=<unavailable>, proxy=<unavailable>, receiver=<unavailable>, id=<unavailable>, vp=<unavailable>) const at Wrapper.cpp:141 [opt]
    frame #9: 0x000000010299581d servo`js::CrossCompartmentWrapper::get(this=0x0000000107767058, cx=0x000000011536a800, wrapper=JS::HandleObject @ r12, receiver=<unavailable>, id=JS::HandleId @ r15, vp=JS::MutableHandleValue @ 0x0000700015ebb560) const at CrossCompartmentWrapper.cpp:187:19 [opt]
    frame #10: 0x000000010299cbd0 servo`js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) [inlined] js::Proxy::getInternal(cx=0x000000011536a800, proxy=JS::HandleObject @ r12, receiver=<unavailable>, id=JS::HandleId @ r15, vp=JS::MutableHandleValue @ r14) at Proxy.cpp:332:19 [opt]
    frame #11: 0x000000010299cb89 servo`js::Proxy::get(cx=0x000000011536a800, proxy=JS::HandleObject @ r12, receiver_=<unavailable>, id=JS::HandleId @ r15, vp=JS::MutableHandleValue @ r14) at Proxy.cpp:340 [opt]
    frame #12: 0x00000001028ee997 servo`Interpret(JSContext*, js::RunState&) at ObjectOperations-inl.h:114:12 [opt]
    frame #13: 0x00000001028ee94f servo`Interpret(JSContext*, js::RunState&) at Interpreter-inl.h:486 [opt]
    frame #14: 0x00000001028ee87f servo`Interpret(JSContext*, js::RunState&) [inlined] js::GetElementOperation(cx=0x000000011536a800, op=<unavailable>, lref=JS::HandleValue @ 0x0000700015ebb6a0, rref=<unavailable>, res=JS::MutableHandleValue @ 0x0000700015ebb6a0) at Interpreter-inl.h:600 [opt]
    frame #15: 0x00000001028ee7f7 servo`Interpret(cx=<unavailable>, state=0x0000700015ebbb48) at Interpreter.cpp:2923 [opt]
    frame #16: 0x00000001028e43ff servo`js::RunScript(cx=0x000000011536a800, state=0x0000700015ebbb48) at Interpreter.cpp:423:10 [opt]
    frame #17: 0x00000001028f9bd8 servo`js::ExecuteKernel(cx=<unavailable>, script=<unavailable>, envChainArg=<unavailable>, newTargetValue=<unavailable>, evalInFrame=<unavailable>, result=<unavailable>) at Interpreter.cpp:810:13 [opt]
    frame #18: 0x00000001028f9d96 servo`js::Execute(cx=0x000000011536a800, script=JS::HandleScript @ r15, envChainArg=<unavailable>, rval=0x0000700015ebc7c0) at Interpreter.cpp:843:10 [opt]
    frame #19: 0x00000001029d22b1 servo`JS_ExecuteScript(cx=0x000000011536a800, scriptArg=<unavailable>, rval=<unavailable>) at CompilationAndEvaluation.cpp:480:10 [opt]
    frame #20: 0x0000000102463ac6 servo`mozjs::rust::wrappers::JS_ExecuteScript::h542cd76670a56483(cx=0x000000011536a800, script=Handle<*mut mozjs_sys::generated::root::JSScript> @ 0x0000700015ebbc80, rval=MutableHandle<mozjs_sys::generated::root::JS::Value> @ 0x0000700015ebbc88) at rust.rs:1456:51
    frame #21: 0x000000010211a8f0 servo`script::dom::globalscope::GlobalScope::evaluate_script_on_global_with_result::_$u7b$$u7b$closure$u7d$$u7d$::haf1e4f7bce597f59 at globalscope.rs:2642:34
    frame #22: 0x0000000100ef7936 servo`profile_traits::time::profile::hc60225eafbb84b58(category=ScriptEvaluate, meta=Option<profile_traits::time::TimerMetadata> @ 0x0000700015ebc5d0, profiler_chan=ProfilerChan @ 0x0000700015ebc3f4, callback=closure-0 @ 0x0000700015ebc610) at time.rs:141:15
    frame #23: 0x0000000102119b3d servo`script::dom::globalscope::GlobalScope::evaluate_script_on_global_with_result::h81b18eb81fabf053(self=0x000000012aa04e00, code=0x0000700015ebca30, filename=(data_ptr = "https://www.google.com/recaptcha/api2/bframe?hl=en&v=UFwvoDBMjc8LiYc1DKXiAomK&k=6Le-wvkSAAAAAPBMRTvw0Q4Muexq9bi0DJwx_mJ-&cb=i2uzhv7diked", length = 136), rval=MutableHandle<mozjs_sys::generated::root::JS::Value> @ 0x0000700015ebc580, line_number=32, fetch_options=ScriptFetchOptions @ 0x0000700015ebc7e0, script_base_url=ServoUrl @ 0x0000700015ebc6b8) at globalscope.rs:2582:9
    frame #24: 0x000000010234f4dd servo`script::dom::htmlscriptelement::HTMLScriptElement::run_a_classic_script::h65274cfd0a004975(self=0x00000001393bdc40, script=0x0000700015ebca30) at htmlscriptelement.rs:1059:9
    frame #25: 0x000000010234edca servo`script::dom::htmlscriptelement::HTMLScriptElement::execute::h88898bf58376c2d3(self=0x00000001393bdc40, result=Result<script::dom::htmlscriptelement::ScriptOrigin, net_traits::NetworkError> @ 0x0000700015ebd840) at htmlscriptelement.rs:1021:17
    frame #26: 0x000000010234b35a servo`script::dom::htmlscriptelement::HTMLScriptElement::prepare::h2d9640e7a5a3d79c(self=0x00000001393bdc40) at htmlscriptelement.rs:828:25
    frame #27: 0x000000010110695d servo`script::dom::servoparser::ServoParser::tokenize::hea9822f0a4ad056d(self=0x00000001392fe000, feed=closure-0 @ 0x0000700015ebda68) at mod.rs:575:13
    frame #28: 0x0000000101105ea2 servo`script::dom::servoparser::ServoParser::do_parse_sync::h7fcfd6b181d5c4d4(self=0x00000001392fe000) at mod.rs:516:9
    frame #29: 0x0000000101105bb4 servo`script::dom::servoparser::ServoParser::parse_sync::_$u7b$$u7b$closure$u7d$$u7d$::h370399c2a30309cb at mod.rs:498:16
    frame #30: 0x0000000100ef88c5 servo`profile_traits::time::profile::he37de4c3016a5477(category=ScriptParseHTML, meta=Option<profile_traits::time::TimerMetadata> @ 0x0000700015ebded8, profiler_chan=ProfilerChan @ 0x0000700015ebdd64, callback=closure-0 @ 0x0000700015ebdde8) at time.rs:141:15
    frame #31: 0x0000000101105b33 servo`script::dom::servoparser::ServoParser::parse_sync::h8f6e801db321281f(self=0x00000001392fe000) at mod.rs:490:9
    frame #32: 0x0000000101103f5d servo`script::dom::servoparser::ServoParser::resume_with_pending_parsing_blocking_script::h13724fd765e088d5(self=0x00000001392fe000, script=0x00000001393bda80, result=Result<script::dom::htmlscriptelement::ScriptOrigin, net_traits::NetworkError> @ 0x0000700015ebe448) at mod.rs:304:13
    frame #33: 0x0000000100f5fbb7 servo`script::dom::document::Document::process_pending_parsing_blocking_script::h3ff527fdc30d2448(self=0x000000012aa05800) at document.rs:2426:13
    frame #34: 0x0000000100f5f89e servo`script::dom::document::Document::pending_parsing_blocking_script_loaded::he657e2664c465556(self=0x000000012aa05800, element=0x00000001393bda80, result=Result<script::dom::htmlscriptelement::ScriptOrigin, net_traits::NetworkError> @ 0x0000700015ebe810) at document.rs:2412:9
    frame #35: 0x0000000102346a99 servo`script::dom::htmlscriptelement::finish_fetching_a_classic_script::h8ed73e02f9023468(elem=0x00000001393bda80, script_kind=ParsingBlocking, url=ServoUrl @ 0x0000700015ebe688, load=Result<script::dom::htmlscriptelement::ScriptOrigin, net_traits::NetworkError> @ 0x0000700015ebec38) at htmlscriptelement.rs:321:13
    frame #36: 0x0000000102346037 servo`script::dom::htmlscriptelement::off_thread_compilation_callback::_$u7b$$u7b$closure$u7d$$u7d$::h2de89d0acd401720 at htmlscriptelement.rs:140:13
    frame #37: 0x0000000102402df3 servo`_$LT$script..dom..htmlscriptelement..off_thread_compilation_callback..off_thread_compile_continue$LT$F$GT$$u20$as$u20$script..task..TaskOnce$GT$::run_once::hc4d72174a8fd4c41(self=<unavailable>) at task.rs:24:17
    frame #38: 0x00000001009e9ae0 servo`_$LT$script..task..CancellableTask$LT$T$GT$$u20$as$u20$script..task..TaskOnce$GT$::run_once::h4f91c1bca785bb46(self=CancellableTask<script::dom::htmlscriptelement::off_thread_compilation_callback::off_thread_compile_continue<closure-0>> @ 0x0000700015ebee88) at task.rs:114:13
    frame #39: 0x00000001009df367 servo`_$LT$T$u20$as$u20$script..task..TaskBox$GT$::run_box::hfffae37f5ab9750f(self=0x00000001381add00) at task.rs:57:9
    frame #40: 0x00000001013c7b34 servo`script::script_thread::ScriptThread::handle_msg_from_script::hceef5bb34d01b955(self=0x0000700015ec6fe0, msg=MainThreadScriptMsg @ 0x0000700015ebf778) at script_thread.rs:2090:82
    frame #41: 0x00000001013c0675 servo`script::script_thread::ScriptThread::handle_msgs::_$u7b$$u7b$closure$u7d$$u7d$::h60a073cad75e8404 at script_thread.rs:1639:46
    frame #42: 0x00000001013c492b servo`script::script_thread::ScriptThread::profile_event::he34b640c6e9e1036(self=0x0000700015ec6fe0, category=ScriptEvent, pipeline_id=Option<msg::constellation_msg::PipelineId> @ 0x0000700015ebfa18, f=closure-5 @ 0x0000700015ec64b0) at script_thread.rs:1882:13
    frame #43: 0x00000001013be84a servo`script::script_thread::ScriptThread::handle_msgs::hd1bf2020be279974(self=0x0000700015ec6fe0) at script_thread.rs:1632:26
    frame #44: 0x00000001013bc028 servo`script::script_thread::ScriptThread::start::ha5c80a72bdcf598e(self=0x0000700015ec6fe0) at script_thread.rs:1436:15
    frame #45: 0x00000001013b548b servo`_$LT$script..script_thread..ScriptThread$u20$as$u20$script_traits..ScriptThreadFactory$GT$::create::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h6eb35523519dfa6c at script_thread.rs:825:25
    frame #46: 0x0000000101a25e82 servo`profile_traits::mem::ProfilerChan::run_with_memory_reporting::h31a58c6480e3e827(self=0x0000700015ec6fc4, f=closure-1 @ 0x0000700015ec6e50, reporter_name=String @ 0x0000700015ec79c8, channel_for_reporter=(flavor = crossbeam_channel::channel::SenderFlavor<script::script_thread::MainThreadScriptMsg> @ 0x0000700015ec6d80), msg=(0x0000000000000001)) at mem.rs:88:9
    frame #47: 0x00000001013b5c29 servo`_$LT$script..script_thread..ScriptThread$u20$as$u20$script_traits..ScriptThreadFactory$GT$::create::_$u7b$$u7b$closure$u7d$$u7d$::h7cb6f4deb17cd61a at script_thread.rs:823:17
    frame #48: 0x0000000100b0f6a3 servo`std::sys_common::backtrace::__rust_begin_short_backtrace::heafc8776ca1d95e1(f=<unavailable>) at backtrace.rs:130:5
    frame #49: 0x000000010146c6d3 servo`std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h3c3042a5a76eaab1 at mod.rs:475:17
    frame #50: 0x000000010225d293 servo`_$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hda44ebe3096bb793(self=<unavailable>, _args=<unavailable>) at panic.rs:318:9
    frame #51: 0x000000010146d968 servo`std::panicking::try::do_call::h791ebef1a2188aa5(data="��*\x01") at panicking.rs:348:40
    frame #52: 0x000000010168c73d servo`__rust_try + 29
    frame #53: 0x000000010146d597 servo`std::panicking::try::he2a14466ca1fedd1(f=<unavailable>) at panicking.rs:325:15
    frame #54: 0x0000000102274643 servo`std::panic::catch_unwind::hc7b20278ead0e265(f=<unavailable>) at panic.rs:394:14
    frame #55: 0x000000010146b460 servo`std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h38f1f89f2a6851b2 at mod.rs:474:30
    frame #56: 0x0000000101a6f0c1 servo`core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hf55ee270ff6165b6((null)=0x000000012ab64c00, (null)=<unavailable>) at function.rs:233:5
    frame #57: 0x0000000106b61ccd servo`std::sys::unix::thread::Thread::new::thread_start::h834ded9490287f71 [inlined] _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h4d3d821adf25cdf6 at boxed.rs:1074:9 [opt]
    frame #58: 0x0000000106b61cc7 servo`std::sys::unix::thread::Thread::new::thread_start::h834ded9490287f71 [inlined] _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h6f972c70872e9c5d at boxed.rs:1074 [opt]
    frame #59: 0x0000000106b61cbe servo`std::sys::unix::thread::Thread::new::thread_start::h834ded9490287f71 at thread.rs:87 [opt]
    frame #60: 0x00007fff73c76109 libsystem_pthread.dylib`_pthread_start + 148
    frame #61: 0x00007fff73c71b8b libsystem_pthread.dylib`thread_start + 15

(lldb) call DumpBacktrace(cx)
#0      114b47f50 i   https://www.gstatic.com/recaptcha/releases/UFwvoDBMjc8LiYc1DKXiAomK/recaptcha__en.js:679 (3891c2a7f348 @ 139)
#1      114b47e08 i   https://www.gstatic.com/recaptcha/releases/UFwvoDBMjc8LiYc1DKXiAomK/recaptcha__en.js:234 (3891c2a7f1e8 @ 613)
#2      114b47cd0 i   https://www.gstatic.com/recaptcha/releases/UFwvoDBMjc8LiYc1DKXiAomK/recaptcha__en.js:685 (3891c2a4f2f0 @ 87)
#3      114b47c20 i   https://www.google.com/recaptcha/api2/bframe?hl=en&v=UFwvoDBMjc8LiYc1DKXiAomK&k=6Le-wvkSAAAAAPBMRTvw0Q4Muexq9bi0DJwx_mJ-&cb=i2uzhv7diked:34 (3891c2a4f298 @ 27)

@jdm
Copy link
Member

jdm commented Nov 25, 2020

Unminified stack (--unminify-js):

#0      1171ea750 i   https://www.gstatic.com/recaptcha/releases/UFwvoDBMjc8LiYc1DKXiAomK/recaptcha__en.js:8342 (1ea74dfd0450 @ 139)
#1      1171ea608 i   https://www.gstatic.com/recaptcha/releases/UFwvoDBMjc8LiYc1DKXiAomK/recaptcha__en.js:2445 (1ea74dfd02f0 @ 613)
#2      1171ea4d0 i   https://www.gstatic.com/recaptcha/releases/UFwvoDBMjc8LiYc1DKXiAomK/recaptcha__en.js:8428 (1ea74df9f3f8 @ 87)
#3      1171ea420 i   https://www.google.com/recaptcha/api2/bframe?hl=en&v=UFwvoDBMjc8LiYc1DKXiAomK&k=6Le-wvkSAAAAAPBMRTvw0Q4Muexq9bi0DJwx_mJ-&cb=nw4fd3s8034t:32 (1ea74df9f3a0 @ 27)

@jdm
Copy link
Member

jdm commented Nov 25, 2020 

            (p = (N = ["c-", 41, 33], r[N[1]](67).name.replace(N[0], "a-")), this).l = T[N[2]](48, 36, r[N[1]](23).parent.frames[p], g[36](8, "anchor"), new Map([

@jdm
Copy link
Member

jdm commented Nov 25, 2020

I'm pretty sure that r[N[1]](23).parent.frames[p] is the code that's tripping up here, since printing out the value of p shows me an empty string. It's not yet clear to me whether r[N[1]](67).name is supposed to return a non-empty string or not; r[N[1]](67) returns a same-origin window object.

@jdm
Copy link
Member

jdm commented Nov 25, 2020

Debugging the same line in Firefox looks like the name should be something like "c-ic32hm4x4fv5" instead.

@jdm
Copy link
Member

jdm commented Nov 25, 2020

Oh, one issue we'll have is that we don't have a window object named getter yet (#25562), so even if the name gets determined correctly we'll still hit that same security error issue.

@jdm
Copy link
Member

jdm commented Nov 25, 2020

I suspect the other half of the problem is #27833.

@jdm
Copy link
Member

jdm commented Nov 25, 2020
edited

The branch in #27833 does fix the name issue, but as predicted the lack of a named window getter (#27949) still causes the security DOM exception to be raised.

@gterzian
Copy link
Member

See also comment at #25729 (comment)

The SecurityError comes from some JS that does a property get on a cross-origin windowproxy (

servo/components/script/dom/windowproxy.rs

Line 1008 in 55058b2

throw_security_error(cx)
). Either that code is insufficiently lenient for expected properties, or the frame shouldn't actually be treated as cross-origin. The script in question is part of reCaptcha:
recaptcha.frame.Main.init("[\x22finput\x22,null,[\x22conf\x22,null,\x226Ld7hz4UAAAAANlndw60vAheGUwN0Mb-qeWD_LHr\x22,0,null,[\x22JS_BR\x22]\n,0.75]\n]\n");

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jdm @gterzian @philip-lamb