Closed Bug 664301 Opened 11 years ago Closed 7 years ago

Test websocket handling of iframe "document.domain"

Categories

(Core :: Networking: WebSockets, defect)

defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: dchanm+bugzilla, Unassigned)

Details

This is a placeholder to investigate the interaction of websockets with iframes

Scenario
parent.foo.com includes iframe for child.foo.com . child.foo.com contains javascript for websockets

Questions
1. If both sites set
document.domain = foo.com
what is the Sec-WebSocket-Origin: ?
2. Should parent be allowed to obtain a reference to
window.frames[0].document.wsobject
3. Should this object retain the origin of the child if the parent uses it?


The risk is likely low due to both the parent and child being bad actors.
I think that Jonas said that document.domain should not affect WebSockets at all. That is, the results of all tests should be the same, irrespective of the setting of document.domain.
Going with the idea that document.domain doesn't change the origin. Are we concerned about
Sec-WebSocket-Origin: child.foo.com
when it is parent.foo.com communicating with the WebSocket server?

I don't think origin will be an issue since relying on it for authorization is shaky at best due to non-browsers being able to spoof it.
I'm not concerned about that no.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.