Bug 14610

The problem was introduced by recent code refactoring in kjs_window and DOMWindow. When navigating to a new page, DOMWindow does nott clear up its DOMSelection object. To show the problem, save following text into a file, say 'selection.html': <html><script> var child; var sel; function openwin() { child = open("hello.html"); } function getsel() { sel = child.getSelection(); } function reloadwin() { child.location="world.html"; } function check() { var selected = sel.anchorNode; var new_doc = selected.ownerDocument; alert(new_doc.baseURI); } </script> <body> <button onclick="openwin()">open</button> <button onclick="getsel()">get selection</button> <button onclick="reloadwin()">reload</button> <button onclick="check()">check</button> </body></html> Also create two files called hello.html, and world.html. <html><body>hello</body></html> <html><body>world</body></html> Put selection.html and hello.html in the same domain, and put world.html in a different domain (you need to change URLs of hello.html and world.html in selection.html). Do following steps: 1. load 'selection.html' in a new window; 2. click the 'open' button, it opens a child window; 3. select "hello" text in the child window; 4. click the 'get selection' in the parent window; 5. click the 'check' button, an alert window pops up and displays the URL of 'hello.html'. So far so good. 6. click the 'reload' button in the parent window, it loads 'world.html' page in the child window. Note that now, the parent window and the child window are in different domains. 7. select 'world' in the child window; 8. click the 'check' button in the first window. an alert window pops up, and displays the URL of 'world.html'. At this point, the parent window has full access to the Document object and DOM nodes under it in the child window even they are from different domains. I will make a patch later.