200402 - JavaScript: Can't change frame location accross domains (regression)

Status: VERIFIED WORKSFORME

(Core :: Security, defect)

Description

[rolux]

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.4a) Gecko/20030401
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.4a) Gecko/20030401

Using JavaScript to change the location of a frame, as in
parent.foo.location.href = 'http://foo.com/foo.php', fails if the frameset is
not in the same domain as the target and source frames.

Additionally, the JavaScript console reports: 'Error: uncaught exception:
Permission denied to get property Function.frames' or:
'Error: uncaught exception: Permission denied to get property Function.href'.

As an example, see http://textz.com/index.php3?section=concept (frameset:
textz.com, frames: textz.gnutenberg.net).

The same is true for subdomains. Go to
http://lists.minordomo.org/textz.com/index.php and click 'moderate' (frameset:
lists.minordomo.org, frames: minordomo.org -- the problem disappears if the very
same frameset is loaded as http://minordomo.org/lists/textz.com/index.php).

Both sites do not work in 1.4a, but do work in 1.3. This looks like a
regression, since the same bug was present in the earlier days of Mozilla (Bug
52920), and later fixed.

Ah, and just in case: Blocking cross-domain frame updates is *not* a security
feature. There are many more legitimate scenarios than just the two above.

Reproducible: Always

Steps to Reproduce:

Comment 1

[Phil Schwartau]

Confirming report with Mozilla trunk binary 2003033105 WinNT.

This is either for the DOM or Security, not JS Engine. 
Reassigning to Security for further triage - 

Comment 2

[Boris Zbarsky [:bzbarsky]]

The error is the same as bug 198660

Comment 3

[bugzilla.mozilla.org]

confirmed with Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b)
Gecko/20030422

even worse: for me it seems not only related to cross-domain links.

I get the error in the HTML Client of our Content Management System (VIP 8 by
http://www.gaussvip.com). All pages of this application reside on one server,
all have same domain and nevertheless: 

on some pages,when a script in one frame tries to change the location of another
frame it does nothing. Strangely it does not happen on all cross frame actions,
only on some. I tried to debug this using Venkman but the stuff is way to
complex for me to unerstand what's going on.

Everything works fine when using Moz 1.3.1 or below

Comment 4

[Daniel Wang]

> As an example, see http://textz.com/index.php3?section=concept (frameset:
> textz.com, frames: textz.gnutenberg.net).
this example worksforme (moz 1.8 nightly)

> The same is true for subdomains. Go to
> http://lists.minordomo.org/textz.com/index.php and click 'moderate'
the site suffers serious usability issues. Please give the direct link to "moderate"

add qawanted keyword. Reporter (rolux), can you give us a reduced testcase?

Comment 5

[Daniel Wang]

worksforme moz 1.7.3, worksforme firefox 1.0, and per comment4, worksforme 1.8
nightlies
no response from reporter -> wfm

Comment 6

[u279076]

Attachment: Frameset Test file

Comment 7

[u279076]

Attachment: Test page (second frame)

Comment 8

[u279076]

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090526 Shiretoko/3.5pre

I'm trying to come up with a minimized test case for this (old) bug.

1. Download both files to the same location
2. Open frameset.html in the browser
3. Click the Test link

RESULT:
1. Google on top, test page on the bottom
2. Digg on top, test page on bottom after link click
3. Exception in Error Console:
Error: Permission denied for <http://view.atdmt.com> to call method Location.toString on <file://>.

I'm not sure if this is related to this bug or not.  Please advise me on both my test case and the result.

Comment 9

[u279076]

Verifying WORKSFORME due to lack of feedback and inability to reproduce.