Created attachment 8347696 [details] PoC for determining the height of a framed document by checking scrollbar thumb visibility. Resizes the iframe until it's the smallest it can be with no vertical scrollbar. User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Steps to reproduce: 1. Create a page with an iframe and set a cross-origin src 2. Add a call to document.caretPositionFromPoint() inside the parent document with coordinates that would be inside the iframe 3. Navigate to the page with Firefox Actual results: document.caretPositionFromPoint() returns a CaretPosition with offsetNode set to the node from inside the iframe, provided it can contain a caret; otherwise offsetNode is set to null. This leaks whether the element under point is a button input element or scrollbar thumb (whose CaretPositions have accessible and null offsetNodes across principals, unlike with other elements.) It looks like this was alluded to in Bug 857703 . Expected results: document.caretPositionFromPoint() should return a CaretPosition with the offsetNode set to the iframe itself when the document it contains is cross-origin, as with document.elementFromPoint().
Created attachment 8347704 [details] Updated PoC Updating PoC to (hopefully) repro on bugzilla.
Attachment #8347696 - Attachment is obsolete: true
> should return a CaretPosition with the offsetNode set to the iframe itself when the > document it contains is cross-origin Yes, that would make sense to me. We should raise spec issues about this and the elementFromPoint behavior, by the way.
Status: UNCONFIRMED → NEW
Ever confirmed: true
It looks like this was fixed by the patch in Bug 950427
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 950427
You need to log in before you can comment on or make changes to this bug.