RESOLVED WORKSFORME 14819
ports & protocols are expected to match in cross frame scripting along with domains. 
https://bugs.webkit.org/show_bug.cgi?id=14819
Summary ports & protocols are expected to match in cross frame scripting along with d...
Bhagyalaxmi Dash
Reported 2007-07-30 15:43:43 PDT
In addition to the domains, ports & protocols are compared whenever there is a cross-frame scripting. Earlier it was comparing only the domain names of both the frames. The current logic makes the situation complicated when domain names are explicitly set through java script methods to allow accessing the child frame that may come from a different port.
Attachments
Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2007-07-30 17:48:57 PDT
Sam just fixed this bug. Setting domain explicitly in both documents enables access between them.
Bhagyalaxmi Dash
Comment 2 2007-07-30 18:00:14 PDT
(In reply to comment #1) > Sam just fixed this bug. Setting domain explicitly in both documents enables > access between them. > Garen, has Sam also included the fix for Bug Id 14820(http://bugs.webkit.org/show_bug.cgi?id=14820) ? Bug Id 14820 requires a small change in the Console message, to show the domain names along with the URLs, if there is a domain mismatch. Thanks, -Bhagya.
Jake Logan
Comment 3 2007-07-30 18:02:59 PDT
(In reply to comment #1) > Sam just fixed this bug. Setting domain explicitly in both documents enables > access between them. > A typical scenario for an SAP install is to have one Portal host (lal.corp.apple.com:50000 for example) which loads content from many other hosts into various iframes using different ports (lore.corp.apple.com:8000 and mire.apple.com:51000, for example). This achieved via domian-relaxing javascript in each of the frames, per IE domain-relaxing rules. Now that ports are being checked, won't the new port checking deny cross-frame scripting requests? If so, that is a big problem for SAP installs and a restriction that IE and Firefox don't currently have. Protocol I think should be compared, but not the ports, for reason stated above. Please advise.
Sam Weinig
Comment 4 2007-07-30 18:38:37 PDT
The new policy is to not check the port or protocol if document.domain has been explicitly set to the same legal value in both documents. This policy matches other browsers and should not create an issue for SAP anymore.
Jake Logan
Comment 5 2007-07-30 18:45:50 PDT
(In reply to comment #4) > The new policy is to not check the port or protocol if document.domain has been > explicitly set to the same legal value in both documents. This policy matches > other browsers and should not create an issue for SAP anymore. > Perfect, that's what we need for SAP.
Note You need to log in before you can comment on or make changes to this bug.