The attribute parent of nested or inner iframe does not refer to parent iframe when submitting form

RESOLVED INCOMPLETE

Status

()

--
critical
RESOLVED INCOMPLETE
10 years ago
8 years ago

People

(Reporter: nopporn.kongwatmai, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [CLOSEME 2010-11-01])

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Build Identifier: Firefox/3.0.4

I have created a dynamic nested frame for submit form. Example of code as following.

var parentFrame = doc.createElement("iframe");
parentFrame.setAttribute("id", "frame_parent_0");
parentFrame.setAttribute("name", "frame_parent_1");
parentFrame.style.display = "none";
parentFrame.style.height = "1px";
parentFrame.style.width = "1px";		
doc.body.appendChild(parentFrame);

parentFrame.onCommandEvent() = function(){
   //do something.
}

var frame = doc.createElement("iframe");
frame.setAttribute("id", "frame_0");
frame.setAttribute("name", "frame_0");
frame.style.display = "none";
frame.style.height = "1px";
frame.style.width = "1px";		
parentFrame.contentDocument.body.appendChild(frame);   //append inner frame to parent frame.

var form = document.createElement("form");
form.setAttrbute("id","form_0");
form.setAttrbute("enctype", "application/x-www-form-urlencoded");
form.setAttribute("method" "POST");
form.setAttribute("target" "frame_0");
form.style.display = "none";

var url = "http://localhost/app1";
form.setAttribute("action", url + "?timestamp=" + (new Date()).getTime());
form.submit();


After that the response from server is comming in with

<script>parent.onCommandEvent("some data");</script>

The error occur within inner iframe that is parent.onCommandEvent is not a function or something like that. 

This is working on FF2 but it does not work on FF3. 

I put alert in reponse script like the following

<script>
window.alert(parent.name);
parent.onCommandEvent("some data");
</script>

It will alert the "frame_0" which is the name of inner iframe instead of "frame_parent_0" as expected.

It seems like parent attribute of inner iframe refer to itself instead of parent iframe.





Reproducible: Always

Steps to Reproduce:
1.
2.
3.
(Reporter)

Comment 1

10 years ago
Forgot one thing.

The form is appended to parent iframe which is "frame_parent_0"

parentFrame.appendChild(form);
Do you have a working testcase that demonstrates the behavior you are trying to report?  The sample code you have provided is a decent start, but isn't valid code by itself (syntax errors, etc.)  I have tried to read your mind a bit and correct the syntax errors, but even with the "corrected" code, I cannot reproduce the issue you are seeing in either Firefox 2 or 3.  If you have a working testcase, please attach it to the bug so we can do better analysis.
(Reporter)

Comment 3

10 years ago
I have produced the new sample code that represent my case.

The request.html

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Sample Code</title>
</head>
<body>
<script language="JavaScript">
var parentFrame = document.createElement("iframe");
parentFrame.setAttribute("id", "frame_parent_0");
parentFrame.setAttribute("name", "frame_parent_0");
parentFrame.style.display = "none";
parentFrame.style.height = "1px";
parentFrame.style.width = "1px";        
document.body.appendChild(parentFrame);

parentFrame.onCommandEvent = function(){
   window.alert("Callback should be invoked here");
};

var frame = document.createElement("iframe");
frame.setAttribute("id", "frame_0");
frame.setAttribute("name", "frame_0");
frame.style.display = "none";
frame.style.height = "1px";
frame.style.width = "1px";        
parentFrame.contentDocument.body.appendChild(frame); 

var form = document.createElement("form");
form.setAttribute("id","form_0");
form.setAttribute("enctype", "application/x-www-form-urlencoded");
form.setAttribute("method", "POST");
form.setAttribute("target", "frame_0");
form.style.display = "none";
parentFrame.appendChild(form);

var url = "http://localhost:8081/response.html";
form.setAttribute("action", url + "?timestamp=" + (new Date()).getTime());

var tn = document.createElement("input");
tn.setAttribute("type", "hidden");
tn.setAttribute("name", "data");
tn.setAttribute("value", "some value");
form.appendChild(tn);

form.submit();

</script>
</body>
</html>

The response.html should be the following.

<script>
window.alert(parent.name);
parent.onCommandEvent();
</script>


The step is 

1. Put these 2 file in your web folder.
2. adjust the variable url in request.html according to your web url.
3. run request.html in FireFox 3.
4. The page will popup a lert message "frame_0" due to the alert command in respone.html to alert name of parent frame. So, the expected result should be "frame_parent_0" instead of "frame_0". 

This is an urgent issue because my JavaScript application use iframe to be a transport for cummunicating with server. Moreover, it is working fine in FireFox 2. Please let me know if you have any comments or suggestion.

I did realize that there are many bugs about iframe in firebug tracked in bugzilla.
Jonas, do you know which DOM change(s) we made in Firefox 3 that would be causing the behavior reported above?
Please attach an attachment so that we can try it out.
Created attachment 352141 [details]
Response page for form POST
Created attachment 352142 [details]
Testcase submits form
Created attachment 352143 [details]
Correct testcase to submit form (edited URL for Bugzilla)
Attachment #352142 - Attachment is obsolete: true
(Reporter)

Comment 9

10 years ago
How is your finding? I am still waiting for your comments. :-)
This does not appear to be a security vulnerability. Unhiding the bug since that is impeding getting the right people to look at this.

From your script it doesn't look like your form is "in" _either_ frame. The child frame you added to the parentFrame.contentBody -- that's in the framed document -- but the form is in the outer document within the <iframe></iframe> tags. It should have the same parent as the outer document since that's where it's living (It's in the space that's supposed to be displayed in clients that don't support frames).
Group: core-security
I can't reproduce your symptoms from the testcase attached to this bug, however, so I may be misunderstanding the problem. Does this testcase reproduce the problem you're seeing when you try it?
(Reporter)

Comment 12

10 years ago
Can you reproduce it in your local environment? I couldn't run the attached test case also.

I don't get your point for comment#10. I submitted the form with target to the iframe so the parent should be the parent of iframe instead of form. I can show the relationship between the iframe and form as follow.

<iframe id="frame_parent_0">
   <iframe id="frame_0"></iframe>
   <form id="form_0" target="frame_0" action="">
</frame>

When the form_0 is submitted, the response will run into frame_0. So, the parent attribute of frame_0 should be frame_parent_0 instead of itself.


This is working just fine on FireFox 2.


I am not sure how is it related with frame loading. I simulated this test case by using the static html page. My JavaScript creates the dynamic iframe named frame_parent_0 and append to the document likes the previous test case. However, it set the attribute src of frame_parent_0 to point to iframe_command.html which is the static html page contained the iframe and form tags. When the frame_parent_0 is completely load, it will submit the form. This solution is working fine. It seems to solve my problem. So, I guess that might be something related to the page loading. 

Moreover, the previous test case I found that the onload event of frame_parent_0 occur twice. The first one is when the frame_parent_0 is append to the document and the second is when the frame_0 is append to frame_parent_0. Is this the expected behavior? 

var parentFrame = document.createElement("iframe");
parentFrame.setAttribute("id", "frame_parent_0");
parentFrame.setAttribute("name", "frame_parent_0");
parentFrame.style.height = "1px";
parentFrame.style.width = "1px";        
document.body.appendChild(parentFrame);		
				
parentFrame.onload = function(){										
  var form =  parentFrame.contentDocument.getElementById("form_0");			
form.setAttribute("action","response.html");
form.submit();
};

parentFrame.contentWindow.onCommandEvent = onCommandEvent;

parentFrame.src = "iframe_command.html";


iframe_command.html

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<form id="form_0" name="form_0" target="frame_0" method="post">
<input type="hidden" name="data" value=""/>
</form>
<iframe id="frame_0" name="frame_0" style="height: 1px;width: 1px;"/>
</body>
</html>
This is a mass search for bugs which are in the Firefox General component, are
UNCO, have not been changed for 500 days and have an unspecified version. 

Reporter, can you please update to Firefox 3.6.10 or later, create a fresh profile, http://support.mozilla.com/en-US/kb/managing+profiles, and test again. If you still see the issue, please update this bug. If the issue is gone, please set the status to RESOLVED > WORKSFORME.
Whiteboard: [CLOSEME 2010-11-01]
No reply from reporter, INCOMPLETE. Please retest with Firefox 3.6.12 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.