1045537 - Permission denied to access object in iframe when document.domain is modified

Status: RESOLVED WONTFIX

(Core :: DOM: Core & HTML, defect)

Description

[Kohei Yoshino [:kohei]]

A Firefox 31 regression reported in https://twitter.com/PG_IDMS/status/493776386205970432

I'll try to make a minimum testcase.

Comment 1

[Kohei Yoshino [:kohei]]

Attachment: testcase

Comment 2

[Kohei Yoshino [:kohei]]

Attachment: testcase

Comment 3

[Kohei Yoshino [:kohei]]

https://push.boerse-stuttgart.de/files/js-api/1.6.1/iframe.html
document.domain is changed to "boerse-stuttgart.de"

https://push.boerse-stuttgart.de/files/js-api/1.6.1/jframe.html
document.domain is kept as "push.boerse-stuttgart.de"

So the same-origin policy prevent jframe.html from being accessed by iframe.html, while this was working without an error on Firefox 30 and below.

Comment 4

[Boris Zbarsky [:bzbarsky]]

>document.domain is changed to "boerse-stuttgart.de"
>document.domain is kept as "push.boerse-stuttgart.de"

Then those should not be same-origin and shouldn't have been in Firefox 30 either.

It looks like the exact sequence here is this.  iframe.html does:

  var jInit;
  jInit        = jframe.contentWindow.jInit;
  // set document.domain here, so it's no longer same-origin with jframe
  init        = function(logger, base64, lowerBound, upperBound, config)
              { jInit(logger, base64, lowerBound, upperBound, config); };

Then later this init function is called.

Imo, this code should not, in fact, work.  I'm really surprised it ever did.  Bobby, do you have any idea how it managed that?

Comment 5

[Kohei Yoshino [:kohei]]

Comment on attachment 8463927 [details]
testcase

This testcase is not working on Firefox 30 anyway. I've got an Error: Permission denied to access property 'document'

Comment 6

[Philipp Gemind]

Hi,

thank you for your investigation. I looks like the functions from jframe.html are being set in iframe.html and used after iframe.html sets its document.domain. This should prevent iframe.html from using the functions from jframe.html, but the pointers set in iframe.html are still working despite the document.domain being different. I guess one of the first developers of this API knew this bug and used it to set the document.domain within the initialization function instead of at the start of every iframe.

I have managed to change the order of the document.domain being set.
It now is no longer set in the initialization functions but within the iframes themselves right at the start. I hope this does not cause any regressions.

Thank you very much,
Philipp Gemind

Comment 7

[Sylvestre Ledru [:Sylvestre]]

We won't make a new release of 31 for this. However, we would be happy to take a patch in 32.

Comment 8

[Bobby Holley (:bholley)]

This used to work because the testcase was calling a function it already had a reference to (and nothing else). In bug 976704, I changed our opaque wrappers to deny CALL.

The spec for this stuff is basically at an impasse, which isn't likely to change any time soon - our behavior is more secure, but WebKit/Blink won't implement it because it's hard. Regardless though, bug 976704 makes our behavior more consistent, so absent more major web-compat regressions I think it should stay.