commit 4a14c381aae65c6940b616adf285eda80ab086ef
parent 8d07fca38d6cbda0c759f3b9f4ac0e5e3d82b922
Author: Tom Schuster <tschuster@mozilla.com>
Date: Sat, 15 Nov 2025 12:46:15 +0000
Bug 1999878 - Remove the security.shadowed_form_element_property_access metric. r=dom-core,smaug
Sadly the numbers don't like we will be able to get rid of clobbering
for forms.
Differential Revision: https://phabricator.services.mozilla.com/D272494
Diffstat:
7 files changed, 3 insertions(+), 66 deletions(-)
diff --git a/dom/base/Document.cpp b/dom/base/Document.cpp
@@ -17203,13 +17203,6 @@ void Document::PropagateImageUseCounters(Document* aReferencingDocument) {
aReferencingDocument->mChildDocumentUseCounters |= mChildDocumentUseCounters;
}
-void Document::CollectShadowedHTMLFormElementProperty(const nsAString& aName) {
- if (mShadowedHTMLFormElementProperties.Length() <= 10 &&
- !mShadowedHTMLFormElementProperties.Contains(aName)) {
- mShadowedHTMLFormElementProperties.AppendElement(aName);
- }
-}
-
bool Document::HasScriptsBlockedBySandbox() const {
return mSandboxFlags & SANDBOXED_SCRIPTS;
}
@@ -17355,13 +17348,6 @@ void Document::ReportShadowedProperties() {
extra.name = Some(NS_ConvertUTF16toUTF8(property));
glean::security::shadowed_html_document_property_access.Record(Some(extra));
}
-
- for (const nsString& property : mShadowedHTMLFormElementProperties) {
- glean::security::ShadowedHtmlFormElementPropertyAccessExtra extra = {};
- extra.name = Some(NS_ConvertUTF16toUTF8(property));
- glean::security::shadowed_html_form_element_property_access.Record(
- Some(extra));
- }
}
void Document::ReportLCP() {
diff --git a/dom/base/Document.h b/dom/base/Document.h
@@ -3769,10 +3769,10 @@ class Document : public nsINode,
// effect once per document, and so is called during document destruction.
void ReportDocumentUseCounters();
- // Report the names of the HTMLDocument/HTMLFormElement properties that had
+ // Report the names of the HTMLDocument properties that had
// been shadowed using ID/name, and which were subsequently accessed
// ("DOM clobbering"). This data is collected by the corresponding NamedGetter
- // methods and limited to 10 unique entries.
+ // method and limited to 10 unique entries.
void ReportShadowedProperties();
// Reports largest contentful paint via telemetry. We want the most up to
@@ -5663,10 +5663,6 @@ class Document : public nsINode,
// collected shadowed HTMLDocument properties. (Limited to 10 entries)
nsTArray<nsString> mShadowedHTMLDocumentProperties;
- // Used by the shadowed_html_form_element_property_access telemetry probe to
- // collected shadowed HTMLFormElement properties. (Limited to 10 entries)
- nsTArray<nsString> mShadowedHTMLFormElementProperties;
-
// Collection of data used by the pageload event.
PageloadEventData mPageloadEventData;
diff --git a/dom/bindings/Codegen.py b/dom/bindings/Codegen.py
@@ -17395,7 +17395,7 @@ class CGDescriptor(CGThing):
if descriptor.needsMissingPropUseCounters:
cgThings.append(CGCountMaybeMissingProperty(descriptor))
- if descriptor.interface.identifier.name in ("HTMLDocument", "HTMLFormElement"):
+ if descriptor.interface.identifier.name == "HTMLDocument":
cgThings.append(CGInterfaceHasProperty(descriptor))
# CGDOMProxyJSClass/CGDOMJSClass need GetProtoObjectHandle, but we don't
diff --git a/dom/html/HTMLFormElement.cpp b/dom/html/HTMLFormElement.cpp
@@ -1448,11 +1448,6 @@ already_AddRefed<nsISupports> HTMLFormElement::NamedGetter(
const nsAString& aName, bool& aFound) {
if (nsCOMPtr<nsISupports> result = ResolveName(aName)) {
aFound = true;
-
- if (HTMLFormElement_Binding::InterfaceHasProperty(aName)) {
- OwnerDoc()->CollectShadowedHTMLFormElementProperty(aName);
- }
-
return result.forget();
}
diff --git a/dom/metrics.yaml b/dom/metrics.yaml
@@ -797,25 +797,6 @@ security:
Name of the shadowed HTML property that was accessed.
type: string
- shadowed_html_form_element_property_access:
- type: event
- description: >
- When accessing a property on a HTMLFormElement like (form.attributes),
- if that property was shadowed/"clobbered", the
- name of the shadowed built-in property is collected.
- bugs:
- - https://bugzil.la/1979041
- data_reviews:
- - https://bugzil.la/1979041
- notification_emails:
- - tschuster@mozilla.com
- expires: 148
- extra_keys:
- name:
- description: >
- Name of the shadowed property that was accessed.
- type: string
-
dom.contentprocess:
build_id_mismatch:
type: counter
diff --git a/dom/security/test/general/browser_test_clobbered_property.js b/dom/security/test/general/browser_test_clobbered_property.js
@@ -30,15 +30,4 @@ add_task(async function test_clobbered_properties() {
"Clobbering of 'onreadystatechange' was collected"
);
ok(names.includes("hasFocus"), "Clobbering of 'hasFocus' was collected");
-
- result = await TestUtils.waitForCondition(() =>
- Glean.security.shadowedHtmlFormElementPropertyAccess.testGetValue()
- );
-
- is(result.length, 1, "Got one HTMLFormElement metric");
- is(
- result[0].extra.name,
- "attributes",
- "Clobbering of 'attributes' was collected"
- );
});
diff --git a/dom/security/test/general/file_clobbered_property.html b/dom/security/test/general/file_clobbered_property.html
@@ -21,15 +21,5 @@
console.log(document.onreadystatechange);
console.log(document.hasFocus);
</script>
-
- <form>
- <input id="bar">
- <input id="attributes">
- </form>
- <script>
- let form = document.querySelector("form");
- console.log(form.bar);
- console.log(form.attributes);
- </script>
</body>
</html>
