Bug 6281

Summary: window.frames["frameName"].document does not work in Safari due to security checks
Product: WebKit Reporter: Eric Seidel (no email) <eric>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal    
Priority: P3    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Test case none

Eric Seidel (no email)
Reported 2005-12-28 22:38:37 PST
window.frames["frameName"].document does not work in Safari See test case.
Attachments
Test case (410 bytes, text/html)
2005-12-28 22:40 PST, Eric Seidel (no email) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2005-12-28 22:40:30 PST
Created attachment 5347 [details] Test case
Eric Seidel (no email)
Comment 2 2005-12-28 22:44:01 PST
Hum, I'm wondering if this is a security issue... as the code looks like we should support this. FireFox allows this test case to work.
Eric Seidel (no email)
Comment 3 2005-12-28 22:46:37 PST
Yes, this seems to be due to security checks. Now the question becomes, why does firefox allow this (at least from in the file:// to http://apple.com case).
Geoffrey Garen
Comment 4 2005-12-28 22:55:28 PST
I think we need to add a check for whether the requesting frame is the parent of the requested frame, and allow that. Although I *don't* think that child frames get access to the parent frame -- in any browser.
Geoffrey Garen
Comment 5 2005-12-28 22:56:54 PST
On the other hand, what if a phishing site opens your bank site in a child frame and then scoops your data? Doesn't seem like we should allow that.
Maciej Stachowiak
Comment 6 2006-03-20 02:48:14 PST
This is due to security restrictions. Firefox has a slightly different model. Instead of keeping you from getting the document object at all on a frame where you don't have access, they give you the document but keep you from accessing most of its properties. I think we should keep the current model because it is simpler and therefore likely to be more robust.
Note You need to log in before you can comment on or make changes to this bug.