Open Bug 1010011 Opened 6 years ago Updated 7 months ago

Gecko should forbid embedding iframe which has different origins in src and mozAPP(manifest URL) attribute.

Categories

(Core :: DOM: Core & HTML, defect, P5)

x86
macOS
defect

Tracking

()

People

(Reporter: GaryChen, Unassigned)

Details

Embed iframe with different origins in src and mozAPP(manifest URL) attribute.
ex:
<iframe mozapp="app://abc.gaia/manifest.webapp" src="app://xyz.gaia/">

Expected result:
  Gecko will show error and kill the instance.
Actual:
  Gecko creates a instance for this iframe.
Component: General → DOM
Product: Firefox OS → Core
No longer blocks: 1002336
This will likely be more complex than a same-origin check. That needs to honor what has be called the "application scope" (there are a couple of mailing list threads about that) and it's not clear yet how we define these. That's important because this should be enforced not only when opening the iframe but also during navigation.
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.