Javascript exception : Permission denied to get property Window.frames

VERIFIED FIXED in mozilla0.9.7



17 years ago
17 years ago


(Reporter: Jeff.Vega, Assigned: security-bugs)



Firefox Tracking Flags

(Not tracked)




(4 attachments)



17 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5+) Gecko/20011018
BuildID:    2001101822

After momentarily setting my useragent to trick the Citibank website into
letting me in, it doesn't display properly - the lower content frames never
loaded.  After resetting my useragent back to default, and removing any
capability.policy settings, the problem persisted.  In the JavaScript Console, I
saw "Error: uncaught exception: Permission denied to get property
Window.frames", several times, then "Error: top.frames[3] has no properties",
along with a source htm file.  This could be a javascript error on the
site...but I don't know.  I've attached the referenced source file and my
prefs.js file.

Reproducible: Always
Steps to Reproduce:
1.Get an account with Citibank to use their site.
2.Get a "sign-in-ok" cookie by temporarily setting your useragent to something
like "Mozilla/5.0 [en] (compatible; MSIE 5.0; Windows 98)".  
That's what I set it to, but it doesn't matter much, Nav 4.76 is also an
"approved" browser.
3.Log in.  They've got a top frame with navigation controls, with the content
appearing in the lower frame (the rest of the window).
4.  Click on any javascript navigation button in the top frame.  

Actual Results:  Nothing appears in the lower frame, and an exception appears in
the console.

Expected Results:  Information about my account should appear in the lower frame.

Comment 1

17 years ago
Created attachment 54356 [details]
Preferences file in use during bug

Comment 2

17 years ago
Created attachment 54357 [details]
Source File for exception "Error: top.frames[3] has no properties Line: 842"

Jeff, could you attach the source and url of the top-level frameset?  Also,
could you possibly attach the urls of all the frames involved (by doing "open
frame in new window" on all of them and copying from url bar)?

The basic question is, is the site using :80 explicitly in the URLs to set port
80?  Or are they using multiple domains?
Component: DOM Level 0 → Security: CAPS
reassign for real
Assignee: jst → mstoltz
QA Contact: amar → bsharma

Comment 5

17 years ago
Created attachment 54429 [details]
Top (navigation) frame after sign-in

Comment 6

17 years ago
Created attachment 54430 [details]
Another frame (very tip-top) found above the top-frame.
Jeff, that's the source of the _frame_.  What's needed here is the source of the
frameset itself ("Save page as") as well as the URL of the top-level document.

Comment 8

17 years ago
If I go through the sign-in (where the error occurs) then "View | Page Source",
it shows the second attachment ("Source File for exception..."). The
"portal.htm" can be seen at the top.  I can't find any more pages to attach. :(
 Since it occurs to me from your comments that this might be a "sameOrigin"
problem, I'll try it with capability.policy.default.Window.frames "allAccess",
to see if it makes a difference.

Comment 9

17 years ago
Indeed, there are differences when I allow "allAccess" to the site for
"Window.frames".  It then excepts out with "Window.scriptglobals", and then
"Window.length".  Explicitly allowing those leaves only the final one (part of
the original set...).  This occurs after much delay:

Error: top.frames[3] has no properties
Source File:
Line: 842

Hope this helps,
-- Jeff

Comment 10

17 years ago
  Thanks for your analysis. This is similar to bug 52920. If frames A and B come
from the same host, but their frameset comes from a different host, ans frame A
tries to access frame B via top.frames[x], this should work. If frames A and B
come from two different hosts and A accesses content or functions in B, then we
do and should prevent the access, since to allow that is a security risk.
Ever confirmed: true


17 years ago
Target Milestone: --- → mozilla0.9.7

Comment 11

17 years ago
Should be fixed now.
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 12

17 years ago
I can confirm that 2001121703 on Win2K works for the Citibank test case.  
Great job!  I tested with a single pref to override the user-agent as MSIE 5.5.

Comment 13

17 years ago
I do not have the Citibank accout. Could you please mention some other way to
test this bug.

Comment 14

17 years ago
  Try the testcase at It tests
the same problem. Take a look at the testcase (it's actually several files) and
make sure you understand what it's testing.

Comment 15

17 years ago
Verified on 2002-02-21-Trunk on WinNT.

Loaded above test case. All the frames are loaded fine and the alert is shown.
No exception in the JS console.
You need to log in before you can comment on or make changes to this bug.