Open Bug 1695969 Opened 8 months ago Updated 6 months ago

window.frames leaks closed shadow roots

Categories

(Core :: DOM: Core & HTML, defect, P2)

Firefox 86
defect

Tracking

()

UNCONFIRMED

People

(Reporter: masonfreed, Assigned: edgar)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Attached file iframes_in_shadow.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.5 Safari/537.36

Steps to reproduce:

See the attached repro - the window.frames attribute returns all frames on the page, including those located within shadow roots. Per the discussion at [1], all frames within shadow roots shouldn't be exposed there, but certainly closed shadow roots should not. In the attached repro, the entire shadow tree is leaked this way.

This WPT test verifies the behavior:
https://wpt.fyi/results/shadow-dom/leaktests/window-frames.html?label=master&label=experimental&aligned&q=leaktests%2Fwindow-frames.html

[1] https://github.com/WICG/webcomponents/issues/145

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Blocks: shadowdom

This is defined at https://html.spec.whatwg.org/multipage/window-object.html#dom-window-nameditem. In particular, https://html.spec.whatwg.org/multipage/browsers.html#document-tree-child-browsing-context says:

A browsing context child is a document-tree child browsing context of parent if child is a child browsing context and child's container is in a document tree.

If a browsing context's container would be in a shadow tree it would not be in a document tree.

Thanks for the spec link!

Assignee: nobody → echen
Severity: -- → S3
Priority: -- → P2
Duplicate of this bug: 1705603
You need to log in before you can comment on or make changes to this bug.