Bug 235893
| Summary: | Accessing `window.frameElement` should not report error if parent is cross-origin | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Robert Knight <robertknight> |
| Component: | Frames | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | cdumez, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 15 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Robert Knight
Calling `window.frameElement` from an iframe with a cross-origin parent returns `null` in Chrome, Firefox and Safari. In Safari it additionally results in a console error with the text "Blocked a frame with origin $IFRAME_ORIGIN from accessing a frame with origin $PARENT_ORIGIN. Protocols, domains and ports must match." In Chrome/Firefox no such error is reported.
The specification [1] just says that the access should return null in this situation, it doesn't mention this access being an error. It looks like this may relate to a standards change described in https://github.com/whatwg/html/pull/266.
We came across this as our application had code that checked for null-ness of `window.frameElement` and then executed different code depending on whether the child frame can reach into the parent or not. Both cases are regarded as non-error scenarios in our context.
[1] https://html.spec.whatwg.org/multipage/browsers.html#dom-frameelement
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Sam Sneddon [:gsnedders]
Note this is only a message in the console; window.frameElement does return null in the cross-origin case as far as I can tell.
There's nothing standardised about what does and doesn't get put in the console (as errors, warnings, or in any other form). I _believe_ (but I'm not totally sure!) that the current WebKit behaviour is to log in the console for any blocked cross-origin access. Do you think that logging when no exception is thrown is confusing, or that logging an error when no exception is thrown is confusing?
(http://wpt.live/html/browsers/windows/nested-browsing-contexts/frameElement.sub.html covers this case, and we indeed pass all the tests.)
Robert Knight
I acknowledge the standard doesn't say anything about what gets logged in the browser console. I found it confusing though that a console error was logged even though no exception occurred and the code triggering the error was not doing something that the specs/MDN docs indicated as being deprecated or bad practice.
The code in question looks something like:
```
if (window.frameElement) {
// Execute some logic that makes use of information about the iframe
// containing this document.
} else {
// Fallback for cross-origin case.
}
```
While looking at this I found we also have some code that triggers the same error but from the other side, using the `iframe.contentDocument` property to test whether an iframe is same-origin.
Radar WebKit Bug Importer
<rdar://problem/88573609>