Open Bug 1010011 Opened 10 years ago Updated 2 years ago

Gecko should forbid embedding iframe which has different origins in src and mozAPP(manifest URL) attribute.

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect

Tracking

()

People

(Reporter: GaryChen, Unassigned)

Details

Embed iframe with different origins in src and mozAPP(manifest URL) attribute.
ex:
<iframe mozapp="app://abc.gaia/manifest.webapp" src="app://xyz.gaia/">

Expected result:
  Gecko will show error and kill the instance.
Actual:
  Gecko creates a instance for this iframe.
Component: General → DOM
Product: Firefox OS → Core
No longer blocks: 1002336
This will likely be more complex than a same-origin check. That needs to honor what has be called the "application scope" (there are a couple of mailing list threads about that) and it's not clear yet how we define these. That's important because this should be enforced not only when opening the iframe but also during navigation.
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.