1365157 - Add tests to make sure data: URIs are cross origin by iframe.contentDocument

https://elefant.github.io/data-uri/iframe.html Chrome will throw a DOMException but Firefox won't. Safari will NOT throw exception but will print error message like Blocked a frame with origin "https://elefant.github.io" from accessing a frame with origin "null". The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "data". Protocols must match.

Henry Chang [:hchang]

Assignee

Updated

•

8 years ago

Assignee: nobody → hchang

Status: NEW → ASSIGNED

Comment hidden (mozreview-request)

Henry Chang [:hchang]

Assignee

Updated

•

8 years ago

Attachment #8897271 - Flags: review?(ckerschb)

Henry Chang [:hchang]

Assignee

Updated

•

8 years ago

Summary: add tests for bug 1364369 to make sure data: URIs are cross origin → Add tests to make sure data: URIs are cross origin by iframe.contentDocument

Christoph Kerschbaumer [:ckerschb]

Comment 6

•

8 years ago

mozreview-review

Comment on attachment 8897271 [details] Bug 1365157 - wpt test cases to ensure 'data:' iframe is forbidden to access its contentDocument. https://reviewboard.mozilla.org/r/168566/#review174114 Hey Henry, test itself looks good, but I think we only have to update /origin-of-data-document.html inside the json, right? I know you probably ran some 'mach' command to update that json, but I am not entirely sure what implications that might have to update some other tests within that jons. Probably worth checking with jgraham.

Attachment #8897271 - Flags: review?(ckerschb) → review+

Christoph Kerschbaumer [:ckerschb]

Comment 7

•

8 years ago

James, just to make sure, do those updates within the json file look OK to you?

Flags: needinfo?(james)

James Graham [:jgraham]

Comment 8

•

8 years ago

Yeah, it's just updating file hashes; the value is just used to avoid some needless work updating the actual data, so it doesn't matter too much if it's wrong and we don't lint for correctness because it creates too many makework oranges.

Flags: needinfo?(james)

Henry Chang [:hchang]

Assignee

Comment 9

•

8 years ago

(In reply to James Graham [:jgraham] from comment #8) > Yeah, it's just updating file hashes; the value is just used to avoid some > needless work updating the actual data, so it doesn't matter too much if > it's wrong and we don't lint for correctness because it creates too many > makework oranges. (In reply to Christoph Kerschbaumer [:ckerschb] from comment #6) > Comment on attachment 8897271 [details] > Bug 1365157 - wpt test cases to ensure 'data:' iframe is forbidden to access > its contentDocument. > > https://reviewboard.mozilla.org/r/168566/#review174114 > > Hey Henry, test itself looks good, but I think we only have to update > /origin-of-data-document.html inside the json, right? I know you probably > ran some 'mach' command to update that json, but I am not entirely sure what > implications that might have to update some other tests within that jons. > Probably worth checking with jgraham. Thanks for the review and yes I was told to run |./mach wpt-manifest-update| even I didn't create a new file. I'll try to run command again to see if I was doing anything wrong to result in those json changes other than origin-of-data-document.html.

Henry Chang [:hchang]

Assignee

Comment 10

•

8 years ago

(In reply to Henry Chang [:hchang] from comment #9) > (In reply to James Graham [:jgraham] from comment #8) > > Yeah, it's just updating file hashes; the value is just used to avoid some > > needless work updating the actual data, so it doesn't matter too much if > > it's wrong and we don't lint for correctness because it creates too many > > makework oranges. > > (In reply to Christoph Kerschbaumer [:ckerschb] from comment #6) > > Comment on attachment 8897271 [details] > > Bug 1365157 - wpt test cases to ensure 'data:' iframe is forbidden to access > > its contentDocument. > > > > https://reviewboard.mozilla.org/r/168566/#review174114 > > > > Hey Henry, test itself looks good, but I think we only have to update > > /origin-of-data-document.html inside the json, right? I know you probably > > ran some 'mach' command to update that json, but I am not entirely sure what > > implications that might have to update some other tests within that jons. > > Probably worth checking with jgraham. > > Thanks for the review and yes I was told to run |./mach wpt-manifest-update| > even I didn't create a new file. I'll try to run command again to see if > I was doing anything wrong to result in those json changes other than > origin-of-data-document.html. I still got a tons of hash changes in the json files. Probably people don't usually run the update command so that so many hash values have been out of sync. So, should I leave those hash value changes (even some of them have nothing to do with my patch)?

Comment hidden (mozreview-request)

Mozilla Autoland

Comment 12

•

8 years ago

hg error in cmd: hg push -r . -f try: pushing to ssh://hg.mozilla.org/try searching for changes remote: abort: abandoned transaction found! remote: (run 'hg recover' to clean up transaction) abort: stream ended unexpectedly (got 0 bytes, expected 4)

Mozilla Autoland

Comment 13

•

8 years ago

hg error in cmd: hg push -r . -f try: pushing to ssh://hg.mozilla.org/try searching for changes remote: abort: abandoned transaction found! remote: (run 'hg recover' to clean up transaction) abort: stream ended unexpectedly (got 0 bytes, expected 4)

Pulsebot

Comment 14

•

8 years ago

Pushed by hchang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/67ce16cac163 wpt test cases to ensure 'data:' iframe is forbidden to access its contentDocument. r=ckerschb

Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)

Comment 15

•

8 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/67ce16cac163

Status: ASSIGNED → RESOLVED

Closed: 8 years ago

status-firefox57: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla57