Got load event from iframes with null principal




3 years ago
3 years ago


(Reporter: 4b.69.6d.6f, Unassigned)


40 Branch

Firefox Tracking Flags

(Not tracked)




3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 YaBrowser/15.7.2357.2877 Safari/537.36

Steps to reproduce:

Very rarely I see "Access denied" messages from sandboxes (created for every iframe). It happens on pages of website with about 40-70 iframes on each. It's because some iframes got null principal.

Simple example (no extensions installed), just paste it to JS console and got to*:
function nestingLevel(win)
	for (var i = 0; win !== win.parent; ++i, win = win.parent){}
	return i;

function onContentLoad(event)
	var doc =;
	if (doc instanceof HTMLDocument)
		var origin = Cu.getObjectPrincipal(doc).origin;
		if (origin && origin.indexOf("moz-nullprincipal") >= 0)
			console.log("FOUND", doc.location.href, nestingLevel(doc.defaultView), origin);

gBrowser.addEventListener("DOMContentLoaded", onContentLoad, true);

Actual results:

I see this in console:
FOUND "" 4 moz-nullprincipal:{802f6aa9-4d50-40a0-9bfa-edf2306d8316}
FOUND about:srcdoc 5 moz-nullprincipal:{88cdd943-743a-43b5-9d44-33cec6aae9b3}

Expected results:

I don't know if this is a bug or not. But I didn't find a way to create window or iframe with null principal, so it's weird.
Creating a window or iframe with nullprincipal is pretty simple.  Here's an example:

  data:text/html,<iframe sandbox></iframe>

As long as the sandbox flags don't include allow-same-origin, you get a nullprincipal.

You could examine doc.defaultView.frameElement.sandbox to verify whether that's what's going on here, but I expect it is.


3 years ago
Component: General → DOM: Security

Comment 2

3 years ago
Yes, this is it. Thank you!

Comment 3

3 years ago
Unfortunately it's not related to errors I got, so I did additional research and create another bug-report:
OK.  Marking this one invalid, since everything here is behaving as it should.
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.