Executing script causes Permission denied to access property "toString" on some sites

[BertLamb]

Firefox Version: 50.0.2
Gecko Driver Version: 0.11.1 x64
Selenium .NET Libs 3.0.1
Platform: Windows 10

In working to upgrade our environment to the latest FF and therefore the new GeckoDriver we came across a weird issue with one website. Any attempt to call ExecuteScript will fail with a System.InvalidOperationException: Permission denied to access property "toString" exception. Didn't happen with the old FirefoxDriver and FF 47, and doesn't happen on IE or Chrome.

Hoping for some insight from y'all as to what is going on.

Steps to reproduce

using System;
using OpenQA.Selenium;
using OpenQA.Selenium.Firefox;

namespace TerraFirefoxIssue
{
    class Program
    {
        static void Main(string[] args)
        {
            var ffDriverService = FirefoxDriverService.CreateDefaultService();
            var ffOptions = new FirefoxOptions();
            ffOptions.LogLevel = FirefoxDriverLogLevel.Trace;
            var webDriver = new FirefoxDriver(ffDriverService, ffOptions, TimeSpan.FromSeconds(60));
            webDriver.Navigate().GoToUrl("https://correo.terra.com/index.php?r=site/login");
            var jsExecuter = (IJavaScriptExecutor) webDriver;
            try
            {
                // doesn't matter what is in this javascript, it will always fail
                jsExecuter.ExecuteScript("var useless = '';");
            }
            catch (InvalidOperationException ioe)
            {
                // this will happen every time
                /* System.InvalidOperationException: Permission denied to access property "toString"
                   at OpenQA.Selenium.Remote.RemoteWebDriver.UnpackAndThrowOnError(Response errorResponse)
                   at OpenQA.Selenium.Remote.RemoteWebDriver.Execute(String driverCommandToExecute, Dictionary`2 parameters)
                   at OpenQA.Selenium.Remote.RemoteWebDriver.ExecuteScriptCommand(String script, String commandName, Object[] args)
                   at OpenQA.Selenium.Remote.RemoteWebDriver.ExecuteScript(String script, Object[] args)
                   at TerraFirefoxIssue.Program.Main(String[] args) in d:\my documents\visual studio 2015\Projects\TerraFirefoxIssue\TerraFirefoxIssue\Program.cs:line 23
                */
                Console.WriteLine(ioe);
            }

            Console.ReadLine();
            webDriver.Quit();
        }
    }
}

Gecko Trace Log

1481308848464   geckodriver     INFO    Listening on 127.0.0.1:61985
1481308849563   mozprofile::profile     INFO    Using profile path C:\Users\Bert\AppData\Local\Temp\rust_mozprofile.XUdxnWAHtoKt
1481308849568   geckodriver::marionette INFO    Starting browser C:\Program Files (x86)\Mozilla Firefox\firefox.exe
1481308849575   geckodriver::marionette INFO    Connecting to Marionette on localhost:62043
1481308850578   geckodriver::marionette DEBUG   TCP connection established
1481308850684   geckodriver::marionette DEBUG   ← {"applicationType":"gecko","marionetteProtocol":3}
1481308850684   geckodriver::marionette DEBUG   → 176:[0,1,"newSession",{"capabilities":{"desiredCapabilities":{"browserName":"firefox","marionette":true,"platform":"ANY","version":""},"requiredCapabilities":{}},"sessionId":null}]
1481308851709   geckodriver::marionette DEBUG   ← [1,1,null,{"sessionId":"8eb0f600-433f-480e-8219-db3ee697208d","capabilities":{"browserName":"firefox","browserVersion":"50.0.2","platformName":"windows_nt","platformVersion":"10.0","specificationLevel":0,"raisesAccessibilityExceptions":false,"rotatable":false,"acceptSslCerts":false,"takesElementScreenshot":true,"takesScreenshot":true,"proxy":{},"platform":"WINDOWS_NT","XULappId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","appBuildId":"20161129173726","processId":276,"version":"","marionette":true,"command_id":1}}]
1481308851709   webdriver::server       DEBUG   Returning status Ok
1481308851711   webdriver::server       DEBUG   Returning body {"sessionId":"8eb0f600-433f-480e-8219-db3ee697208d","value":{"XULappId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","acceptSslCerts":false,"appBuildId":"20161129173726","browserName":"firefox","browserVersion":"50.0.2","command_id":1,"marionette":true,"platform":"WINDOWS_NT","platformName":"windows_nt","platformVersion":"10.0","processId":276,"proxy":{},"raisesAccessibilityExceptions":false,"rotatable":false,"specificationLevel":0,"takesElementScreenshot":true,"takesScreenshot":true,"version":""}}
1481308851711   hyper::header   TRACE   Headers.set( "Content-Type", ContentType(Mime(Application, Json, [])) )
1481308851712   hyper::header   TRACE   Headers.set( "Content-Length", ContentLength(499) )
1481308851712   hyper::server::response DEBUG   writing head: Http11 Ok
1481308851712   hyper::header   TRACE   Headers.set( "Date", Date(HttpDate(Tm { tm_sec: 51, tm_min: 40, tm_hour: 18, tm_mday: 9, tm_mon: 11, tm_year: 116, tm_wday: 5, tm_yday: 344, tm_isdst: 0, tm_utcoff: 0, tm_nsec: 712759500 })) )
1481308851715   hyper::server::response DEBUG   headers [
Headers { Date: Fri, 09 Dec 2016 18:40:51 GMT, Content-Type: application/json, Connection: close, Content-Length: 499, }]
1481308851715   hyper::server::response DEBUG   write 499 bytes
1481308851715   hyper::server::response TRACE   ending
1481308851715   hyper::server   DEBUG   keep_alive = false for 127.0.0.1:62042
1481308851715   hyper::server   DEBUG   keep_alive loop ending for 127.0.0.1:62042
1481308851745   hyper::server   DEBUG   Incoming stream
1481308851745   hyper::buffer   TRACE   get_buf []
1481308851745   hyper::buffer   TRACE   read_into_buf buf[0..4096]
1481308851745   hyper::buffer   TRACE   get_buf [u8; 4096][0..250]
1481308851745   hyper::http::h1 TRACE   try_parse([80, 79, 83, 84, 32, 47, 115, 101, 115, 115, 105, 111, 110, 47, 56, 101, 98, 48, 102, 54, 48, 48, 45, 52, 51, 51, 102, 45, 52, 56, 48, 101, 45, 56, 50, 49, 57, 45, 100, 98, 51, 101, 101, 54, 57, 55, 50, 48, 56, 100, 47, 117, 114, 108, 32, 72, 84, 84, 80, 47, 49, 46, 49, 13, 10, 65, 99, 99, 101, 112, 116, 58, 32, 97, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 47, 106, 115, 111, 110, 44, 32, 105, 109, 97, 103, 101, 47, 112, 110, 103, 13, 10, 67, 111, 110, 116, 101, 110, 116, 45, 84, 121, 112, 101, 58, 32, 97, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 47, 106, 115, 111, 110, 59, 99, 104, 97, 114, 115, 101, 116, 61, 117, 116, 102, 45, 56, 13, 10, 72, 111, 115, 116, 58, 32, 108, 111, 99, 97, 108, 104, 111, 115, 116, 58, 54, 49, 57, 56, 53, 13, 10, 67, 111, 110, 116, 101, 110, 116, 45, 76, 101, 110, 103, 116, 104, 58, 32, 53, 55, 13, 10, 13, 10, 123, 34, 117, 114, 108, 34, 58, 34, 104, 116, 116, 112, 115, 58, 47, 47, 99, 111, 114, 114, 101, 111, 46, 116, 101, 114, 114, 97, 46, 99, 111, 109, 47, 105, 110, 100, 101, 120, 46, 112, 104, 112, 63, 114, 61, 115, 105, 116, 101, 47, 108, 111, 103, 105, 110, 34, 125])
1481308851745   hyper::http::h1 TRACE   Request.try_parse([Header; 100], [u8; 250])
1481308851745   hyper::http::h1 TRACE   Request.try_parse Complete(193)
1481308851745   hyper::header   TRACE   raw header: "Accept"=[97, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 47, 106, 115, 111, 110, 44, 32, 105, 109, 97, 103, 101, 47, 112, 110, 103]
1481308851745   hyper::header   TRACE   raw header: "Content-Type"=[97, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 47, 106, 115, 111, 110, 59, 99, 104, 97, 114, 115, 101, 116, 61, 117, 116, 102, 45, 56]
1481308851745   hyper::header   TRACE   raw header: "Host"=[108, 111, 99, 97, 108, 104, 111, 115, 116, 58, 54, 49, 57, 56, 53]
1481308851745   hyper::header   TRACE   raw header: "Content-Length"=[53, 55]
1481308851745   hyper::server::request  DEBUG   Request Line: Post AbsolutePath("/session/8eb0f600-433f-480e-8219-db3ee697208d/url") Http11
1481308851745   hyper::server::request  DEBUG   Headers { Accept: application/json, image/png, Content-Type: application/json;charset=utf-8, Host: localhost:61985, Content-Length: 57, }
1481308851745   hyper::header   TRACE   Headers.set( "Connection", Connection([Close]) )
1481308851746   hyper::http::h1 TRACE   Sized read, remaining=57
1481308851746   hyper::http::h1 TRACE   Sized read: 32
1481308851746   hyper::http::h1 TRACE   Sized read, remaining=25
1481308851746   hyper::http::h1 TRACE   Sized read: 25
1481308851746   hyper::http::h1 TRACE   Sized read, remaining=0
1481308851746   webdriver::server       DEBUG   Got request POST AbsolutePath("/session/8eb0f600-433f-480e-8219-db3ee697208d/url")
1481308851746   webdriver::command      DEBUG   Got request body {"url":"https://correo.terra.com/index.php?r=site/login"}
1481308851746   geckodriver::marionette DEBUG   → 69:[0,2,"get",{"url":"https://correo.terra.com/index.php?r=site/login"}]
1481308853991   geckodriver::marionette DEBUG   ← [1,2,null,{}]
1481308853991   webdriver::server       DEBUG   Returning status Ok
1481308853991   webdriver::server       DEBUG   Returning body {}
1481308853991   hyper::header   TRACE   Headers.set( "Content-Type", ContentType(Mime(Application, Json, [])) )
1481308853991   hyper::header   TRACE   Headers.set( "Content-Length", ContentLength(2) )
1481308853991   hyper::server::response DEBUG   writing head: Http11 Ok
1481308853991   hyper::header   TRACE   Headers.set( "Date", Date(HttpDate(Tm { tm_sec: 53, tm_min: 40, tm_hour: 18, tm_mday: 9, tm_mon: 11, tm_year: 116, tm_wday: 5, tm_yday: 344, tm_isdst: 0, tm_utcoff: 0, tm_nsec: 991820100 })) )
1481308853991   hyper::server::response DEBUG   headers [
Headers { Content-Type: application/json, Content-Length: 2, Connection: close, Date: Fri, 09 Dec 2016 18:40:53 GMT, }]
1481308853991   hyper::server::response DEBUG   write 2 bytes
1481308853991   hyper::server::response TRACE   ending
1481308853991   hyper::server   DEBUG   keep_alive = false for 127.0.0.1:62064
1481308853991   hyper::server   DEBUG   keep_alive loop ending for 127.0.0.1:62064
1481308853996   hyper::server   DEBUG   Incoming stream
1481308853996   hyper::buffer   TRACE   get_buf []
1481308853996   hyper::buffer   TRACE   read_into_buf buf[0..4096]
1481308853996   hyper::buffer   TRACE   get_buf [u8; 4096][0..242]
1481308853996   hyper::http::h1 TRACE   try_parse([80, 79, 83, 84, 32, 47, 115, 101, 115, 115, 105, 111, 110, 47, 56, 101, 98, 48, 102, 54, 48, 48, 45, 52, 51, 51, 102, 45, 52, 56, 48, 101, 45, 56, 50, 49, 57, 45, 100, 98, 51, 101, 101, 54, 57, 55, 50, 48, 56, 100, 47, 101, 120, 101, 99, 117, 116, 101, 47, 115, 121, 110, 99, 32, 72, 84, 84, 80, 47, 49, 46, 49, 13, 10, 65, 99, 99, 101, 112, 116, 58, 32, 97, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 47, 106, 115, 111, 110, 44, 32, 105, 109, 97, 103, 101, 47, 112, 110, 103, 13, 10, 67, 111, 110, 116, 101, 110, 116, 45, 84, 121, 112, 101, 58, 32, 97, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 47, 106, 115, 111, 110, 59, 99, 104, 97, 114, 115, 101, 116, 61, 117, 116, 102, 45, 56, 13, 10, 72, 111, 115, 116, 58, 32, 108, 111, 99, 97, 108, 104, 111, 115, 116, 58, 54, 49, 57, 56, 53, 13, 10, 67, 111, 110, 116, 101, 110, 116, 45, 76, 101, 110, 103, 116, 104, 58, 32, 52, 48, 13, 10, 13, 10, 123, 34, 115, 99, 114, 105, 112, 116, 34, 58, 34, 118, 97, 114, 32, 117, 115, 101, 108, 101, 115, 115, 32, 61, 32, 39, 39, 59, 34, 44, 34, 97, 114, 103, 115, 34, 58, 91, 93, 125])
1481308853996   hyper::http::h1 TRACE   Request.try_parse([Header; 100], [u8; 242])
1481308853996   hyper::http::h1 TRACE   Request.try_parse Complete(202)
1481308853996   hyper::header   TRACE   raw header: "Accept"=[97, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 47, 106, 115, 111, 110, 44, 32, 105, 109, 97, 103, 101, 47, 112, 110, 103]
1481308853996   hyper::header   TRACE   raw header: "Content-Type"=[97, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 47, 106, 115, 111, 110, 59, 99, 104, 97, 114, 115, 101, 116, 61, 117, 116, 102, 45, 56]
1481308853996   hyper::header   TRACE   raw header: "Host"=[108, 111, 99, 97, 108, 104, 111, 115, 116, 58, 54, 49, 57, 56, 53]
1481308853996   hyper::header   TRACE   raw header: "Content-Length"=[52, 48]
1481308853996   hyper::server::request  DEBUG   Request Line: Post AbsolutePath("/session/8eb0f600-433f-480e-8219-db3ee697208d/execute/sync") Http11
1481308853996   hyper::server::request  DEBUG   Headers { Content-Length: 40, Content-Type: application/json;charset=utf-8, Host: localhost:61985, Accept: application/json, image/png, }
1481308853996   hyper::header   TRACE   Headers.set( "Connection", Connection([Close]) )
1481308853996   hyper::http::h1 TRACE   Sized read, remaining=40
1481308853996   hyper::http::h1 TRACE   Sized read: 32
1481308853996   hyper::http::h1 TRACE   Sized read, remaining=8
1481308853996   hyper::http::h1 TRACE   Sized read: 8
1481308853996   hyper::http::h1 TRACE   Sized read, remaining=0
1481308853996   webdriver::server       DEBUG   Got request POST AbsolutePath("/session/8eb0f600-433f-480e-8219-db3ee697208d/execute/sync")
1481308853997   webdriver::command      DEBUG   Got request body {"script":"var useless = '';","args":[]}
System.InvalidOperationException: Permission denied to access property "toString"
   at OpenQA.Selenium.Remote.RemoteWebDriver.UnpackAndThrowOnError(Response errorResponse)
   at OpenQA.Selenium.Remote.RemoteWebDriver.Execute(String driverCommandToExecut1481308853997  geckodriver::marionette DEBUG   → 124:[0,3,"executeScript",{"args":[],"newSandbox":false,"script":"var useless = '';","scriptTimeout":null,"specialPowers":false}]
e, Dictionary`2 parameters)
   at OpenQA.Selenium.Remote.RemoteWebDriver.ExecuteScriptCommand(String script, String commandName, Object[] args)
   at OpenQA.Selenium.Remote.RemoteWebDriver.ExecuteScript(String script, Object[] args)
   at TerraFirefoxIssue.Program.Main(String[] args) in d:\my documents\visual studio 2015\Projects\TerraFirefoxIssue\TerraFirefoxIssue\Program.cs:line 20
1481308854006   geckodriver::marionette DEBUG   ← [1,3,{"error":"webdriver error","message":"Permission denied to access property \"toString\"","stacktrace":""},null]
1481308854006   webdriver::server       DEBUG   Returning status InternalServerError
1481308854006   webdriver::server       DEBUG   Returning body {"error":"unknown error","message":"Permission denied to access property \"toString\""}
1481308854006   hyper::header   TRACE   Headers.set( "Content-Type", ContentType(Mime(Application, Json, [])) )
1481308854006   hyper::header   TRACE   Headers.set( "Content-Length", ContentLength(87) )
1481308854006   hyper::server::response DEBUG   writing head: Http11 InternalServerError
1481308854006   hyper::header   TRACE   Headers.set( "Date", Date(HttpDate(Tm { tm_sec: 54, tm_min: 40, tm_hour: 18, tm_mday: 9, tm_mon: 11, tm_year: 116, tm_wday: 5, tm_yday: 344, tm_isdst: 0, tm_utcoff: 0, tm_nsec: 6819900 })) )
1481308854006   hyper::server::response DEBUG   headers [
Headers { Content-Length: 87, Connection: close, Date: Fri, 09 Dec 2016 18:40:54 GMT, Content-Type: application/json, }]
1481308854006   hyper::server::response DEBUG   write 87 bytes
1481308854006   hyper::server::response TRACE   ending
1481308854006   hyper::server   DEBUG   keep_alive = false for 127.0.0.1:62088
1481308854006   hyper::server   DEBUG   keep_alive loop ending for 127.0.0.1:62088

[BertLamb]

Checked Nightly 53.0a1 (2016-12-09) (64-bit) as well and it happens there too

[andreastt]

I spent quite a lot of time digging into this, and it appears that because your site has syntax errors that causes the document to be unloaded. The site tries to access the unload handler that Marionette registers on the sandbox. Because this sandbox is created in a privileged JS scope, accessing it will cause the PermissionError we see here.

[andreastt]

I’m not entirely sure how the unload handler registered by Marionette is being accessed yet. The document you are navigating to is very complex and it would help to have a reduced and minimised test case.

[jgraham]

A syntax error causing the document to be unloaded sounds super-odd.

In other news, thank you for the excellent bug report.

[andreastt]

This seems to reproduce it:

    def test_access_unload_handler(self):
        self.marionette.navigate(inline("""
            <script>
            window.addEventListener = (type, handler) => handler.toString();
            </script>"""))
        self.marionette.execute_script("", sandbox=None)

I’m not sure about the syntax error triggering this, but there is a lot of wonky error catching behaviour in the document. In any case, the syntax error is not relevant to the error that Marionette produces.

[andreastt]

We can fix this by ensuring any complex objects assigned to content are cloned, but I wonder if there are other ways to attach event handlers to the content window directly from the system privileged context, bypassing modifications to the window.

[andreastt]

Filed bug 1322862.

[BertLamb]

Awesome! Excited to see the quick progress on this! Thanks!

[BertLamb]

I have checked that this is now working (on my machine ;) ) with geckodriver 0.13 and Firefox 52 beta version 52.0b7 (32-bit). Thanks so much for your work on it!

[andreastt]

@BertLamb Great to hear it!

[lock]

This issue has been automatically locked since there has not been any recent activity after it was closed. If you have run into an issue you think is related, please open a new issue.