Summary: | window.frames["frameName"].document does not work in Safari due to security checks | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Eric Seidel (no email) <eric> | ||||
Component: | DOM | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED WONTFIX | ||||||
Severity: | Normal | ||||||
Priority: | P3 | ||||||
Version: | 420+ | ||||||
Hardware: | Mac | ||||||
OS: | OS X 10.4 | ||||||
Attachments: |
|
Description
Eric Seidel (no email)
2005-12-28 22:38:37 PST
Created attachment 5347 [details]
Test case
Hum, I'm wondering if this is a security issue... as the code looks like we should support this. FireFox allows this test case to work. Yes, this seems to be due to security checks. Now the question becomes, why does firefox allow this (at least from in the file:// to http://apple.com case). I think we need to add a check for whether the requesting frame is the parent of the requested frame, and allow that. Although I *don't* think that child frames get access to the parent frame -- in any browser. On the other hand, what if a phishing site opens your bank site in a child frame and then scoops your data? Doesn't seem like we should allow that. This is due to security restrictions. Firefox has a slightly different model. Instead of keeping you from getting the document object at all on a frame where you don't have access, they give you the document but keep you from accessing most of its properties. I think we should keep the current model because it is simpler and therefore likely to be more robust. |