235893 2022-01-31 08:37:06 -0800 Accessing `window.frameElement` should not report error if parent is cross-origin 2022-02-07 08:38:19 -0800 1 1 1 Unclassified WebKit Frames Safari 15 Unspecified Unspecified NEW InRadar P2 Normal --- 1 robertknight webkit-unassigned cdumez webkit-bug-importer oldest_to_newest 1835543 0 robertknight 2022-01-31 08:37:06 -0800 Calling `window.frameElement` from an iframe with a cross-origin parent returns `null` in Chrome, Firefox and Safari. In Safari it additionally results in a console error with the text "Blocked a frame with origin $IFRAME_ORIGIN from accessing a frame with origin $PARENT_ORIGIN. Protocols, domains and ports must match." In Chrome/Firefox no such error is reported. The specification [1] just says that the access should return null in this situation, it doesn't mention this access being an error. It looks like this may relate to a standards change described in https://github.com/whatwg/html/pull/266. We came across this as our application had code that checked for null-ness of `window.frameElement` and then executed different code depending on whether the child frame can reach into the parent or not. Both cases are regarded as non-error scenarios in our context. [1] https://html.spec.whatwg.org/multipage/browsers.html#dom-frameelement 1835570 1 gsnedders 2022-01-31 09:53:41 -0800 Note this is only a message in the console; window.frameElement does return null in the cross-origin case as far as I can tell. There's nothing standardised about what does and doesn't get put in the console (as errors, warnings, or in any other form). I _believe_ (but I'm not totally sure!) that the current WebKit behaviour is to log in the console for any blocked cross-origin access. Do you think that logging when no exception is thrown is confusing, or that logging an error when no exception is thrown is confusing? (http://wpt.live/html/browsers/windows/nested-browsing-contexts/frameElement.sub.html covers this case, and we indeed pass all the tests.) 1835840 2 robertknight 2022-01-31 23:16:01 -0800 I acknowledge the standard doesn't say anything about what gets logged in the browser console. I found it confusing though that a console error was logged even though no exception occurred and the code triggering the error was not doing something that the specs/MDN docs indicated as being deprecated or bad practice. The code in question looks something like: ``` if (window.frameElement) { // Execute some logic that makes use of information about the iframe // containing this document. } else { // Fallback for cross-origin case. } ``` While looking at this I found we also have some code that triggers the same error but from the other side, using the `iframe.contentDocument` property to test whether an iframe is same-origin. 1838179 3 webkit-bug-importer 2022-02-07 08:38:19 -0800 <rdar://problem/88573609>