950423 - caretPositionFromPoint leaks info about elements in cross-origin documents through CaretPosition accessibility

Status: RESOLVED DUPLICATE of bug 950427

(Core :: DOM: Core & HTML, defect)

Description

[Jordan Milne]

Attachment: PoC for determining the height of a framed document by checking scrollbar thumb visibility. Resizes the iframe until it's the smallest it can be with no vertical scrollbar.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Steps to reproduce:

1. Create a page with an iframe and set a cross-origin src
2. Add a call to document.caretPositionFromPoint() inside the parent document with coordinates that would be inside the iframe
3. Navigate to the page with Firefox



Actual results:

document.caretPositionFromPoint() returns a CaretPosition with offsetNode set to the node from inside the iframe, provided it can contain a caret; otherwise offsetNode is set to null. 

This leaks whether the element under point is a button input element or scrollbar thumb (whose CaretPositions have accessible and null offsetNodes across principals, unlike with other elements.) It looks like this was alluded to in Bug 857703 .


Expected results:

document.caretPositionFromPoint() should return a CaretPosition with the offsetNode set to the iframe itself when the document it contains is cross-origin, as with document.elementFromPoint().

Comment 1

[Jordan Milne]

Attachment: Updated PoC

Updating PoC to (hopefully) repro on bugzilla.

Comment 2

[Boris Zbarsky [:bzbarsky]]

> should return a CaretPosition with the offsetNode set to the iframe itself when the
> document it contains is cross-origin

Yes, that would make sense to me.  

We should raise spec issues about this and the elementFromPoint behavior, by the way.

Comment 3

[Jordan Milne]

It looks like this was fixed by the patch in Bug 950427