1695969 - window.frames leaks closed shadow roots

Status: RESOLVED DUPLICATE of bug 1945081

(Core :: DOM: Core & HTML, defect, P2)

Description

[Mason Freed]

Attachment: iframes_in_shadow.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.5 Safari/537.36

Steps to reproduce:

See the attached repro - the window.frames attribute returns all frames on the page, including those located within shadow roots. Per the discussion at [1], all frames within shadow roots shouldn't be exposed there, but certainly closed shadow roots should not. In the attached repro, the entire shadow tree is leaked this way.

This WPT test verifies the behavior:
https://wpt.fyi/results/shadow-dom/leaktests/window-frames.html?label=master&label=experimental&aligned&q=leaktests%2Fwindow-frames.html

[1] https://github.com/WICG/webcomponents/issues/145

Comment 1

[Anne (:annevk)]

This is defined at https://html.spec.whatwg.org/multipage/window-object.html#dom-window-nameditem. In particular, https://html.spec.whatwg.org/multipage/browsers.html#document-tree-child-browsing-context says:

A browsing context child is a document-tree child browsing context of parent if child is a child browsing context and child's container is in a document tree.

If a browsing context's container would be in a shadow tree it would not be in a document tree.

Comment 2

[Edgar Chen [:edgar]]

Thanks for the spec link!

Comment 4

[Hsin-Yi Tsai (she/her) [:hsinyi]]

[domcore-bugbash-triaged] Doing domcore random bug triage - this is still valid.

Comment 5

[terjanq]

Hi! I noticed that in Firefox 143.0.3 (64-bit) the attached PoC yields window.length === 0. I assume the issue was fixed but the bug is not yet updated?

Comment 6

[Masatoshi Kimura [:emk]]

Fixed range: https://hg-edge.mozilla.org/integration/autoland/pushloghtml?fromchange=d45c9b3a59f4b9fbb84032df7156c6722b050901&tochange=ca439c5a00e2dbb2d45ad3bc8b7e53af46865bf8