Bug 16176

Summary: Incorrect cross-domain errors when document.domain properly set
Product: WebKit Reporter: Andy Maag <Andy.Maag>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: bcn, mrowe, sam
Priority: P2 Keywords: InRadar, Regression
Version: 523.x (Safari 3)   
Hardware: PC   
OS: Windows XP   
Attachments:
Description Flags
Test case for reproducing error none

Description Andy Maag 2007-11-28 12:57:09 PST
Safari 3.0.4 seems to have introduced behavior that causes cross-domain error checking to be overly strict and not obey the same origin rule as other browsers do.

We have boiled this test case down to a simple example that works on other browsers, worked in Safari 3.0.3, but fails on 3.0.4 (Windows and Mac).  I will try attaching the test case to this ticket.  The workaround posed in the testcase does not seem to work in all cases for us, so this is a critical issue, especially because it occurs on the Mac where Safari 3.0.4 is not in Beta.
Comment 1 Andy Maag 2007-11-28 12:58:36 PST
Created attachment 17578 [details]
Test case for reproducing error
Comment 2 Mark Rowe (bdash) 2007-11-28 21:19:20 PST
<rdar://problem/5619274>
Comment 3 Brian Nahas 2007-11-29 08:24:50 PST
We tried out the nightly build from 11/28/07 (Webkit-r28063) on Windows XP and OS X 10.4.11 and most of the issues related to this problem appear to have already been resolved.  The test case attached to this ticket no longer causes any problems in Webkit-r28063.  However, this issue still exists in some cases.  I don't have a standalone test case at this time, however you can reproduce the issue by attempting to submit a review on a product at burpee.com. In Webkit-r28063, you'll see that uploading photos with your review at burpee.com does not work and the JavaScript console will have the usual error about cross-frame scripting from different sources.
Comment 4 Brian Nahas 2007-11-29 13:17:58 PST
We think we narrowed down which build fixed some of the issues.  Webkit nightly build 26801 seems to be the first nightly build since Safari 3.0.4 where some of the issues are resolved.  [26780] seemed to be the relevant changeset.  As I mentioned earlier, these changes didn't resolve all of the issues.
Comment 5 Sam Weinig 2007-11-29 13:53:23 PST
Comment on attachment 17578 [details]
Test case for reproducing error

Obsoleting the attachment as it no longer shows the issue.
Comment 6 Andy Maag 2007-12-04 13:10:32 PST
The latest nightly build as of 11/4/2007 appears to fix the issues we were having with cross-domain errors.  When will it be possible to have this fix released to production?
Comment 7 Mark Rowe (bdash) 2007-12-04 13:13:00 PST
Releases are based on Apple's schedule, and we don't comment about the schedule for future releases.  Since you mention that this issue is fixed in the latest nightly builds, can we go ahead and mark this bug as fixed?
Comment 8 Andy Maag 2007-12-04 13:29:07 PST
(In reply to comment #7)
> ...Since you mention that this issue is fixed in the latest
> nightly builds, can we go ahead and mark this bug as fixed?
> 

I'm assuming nightly builds run with the same permission checking as official builds?  If so, then yes, this can be marked as fixed and we can open new issues if we discover anything else.
Comment 9 Mark Rowe (bdash) 2007-12-04 13:30:38 PST
Yes, that is the case.  Thanks for the bug report!