Open Bug 1695969 Opened 3 years ago Updated 3 years ago

window.frames leaks closed shadow roots

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 86
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: masonfreed, Assigned: edgar)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

iframes_in_shadow.html
687 bytes, text/html
Details
Attached file iframes_in_shadow.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.5 Safari/537.36

Steps to reproduce:

See the attached repro - the window.frames attribute returns all frames on the page, including those located within shadow roots. Per the discussion at [1], all frames within shadow roots shouldn't be exposed there, but certainly closed shadow roots should not. In the attached repro, the entire shadow tree is leaked this way.

This WPT test verifies the behavior:
https://wpt.fyi/results/shadow-dom/leaktests/window-frames.html?label=master&label=experimental&aligned&q=leaktests%2Fwindow-frames.html

[1] https://github.com/WICG/webcomponents/issues/145

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Blocks: shadowdom

This is defined at https://html.spec.whatwg.org/multipage/window-object.html#dom-window-nameditem. In particular, https://html.spec.whatwg.org/multipage/browsers.html#document-tree-child-browsing-context says:

A browsing context child is a document-tree child browsing context of parent if child is a child browsing context and child's container is in a document tree.

If a browsing context's container would be in a shadow tree it would not be in a document tree.

Thanks for the spec link!

Assignee: nobody → echen
Severity: -- → S3
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.