Bug 14819 - ports & protocols are expected to match in cross frame scripting along with domains.
Summary: ports & protocols are expected to match in cross frame scripting along with d...
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P1 Major
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-30 15:43 PDT by Bhagyalaxmi Dash
Modified: 2007-07-30 18:45 PDT (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bhagyalaxmi Dash 2007-07-30 15:43:43 PDT
In addition to the domains, ports & protocols are compared whenever there is a cross-frame scripting. Earlier it was comparing only the domain names of both the frames.
The current logic makes the situation complicated when domain names are explicitly set through java script methods to allow accessing the child frame that may come from a different port.
Comment 1 Geoffrey Garen 2007-07-30 17:48:57 PDT
Sam just fixed this bug. Setting domain explicitly in both documents enables access between them.
Comment 2 Bhagyalaxmi Dash 2007-07-30 18:00:14 PDT
(In reply to comment #1)
> Sam just fixed this bug. Setting domain explicitly in both documents enables
> access between them.
> 

Garen, has Sam also included the fix for Bug Id 14820(http://bugs.webkit.org/show_bug.cgi?id=14820) ?

Bug Id 14820 requires a small change in the Console message, to show the domain names along with the URLs, if there is a domain mismatch.

Thanks,
-Bhagya.
Comment 3 Jake Logan 2007-07-30 18:02:59 PDT
(In reply to comment #1)
> Sam just fixed this bug. Setting domain explicitly in both documents enables
> access between them.
> 

A typical scenario for an SAP install is to have one Portal host (lal.corp.apple.com:50000 for example) which loads content from many other hosts into various iframes using different ports (lore.corp.apple.com:8000 and mire.apple.com:51000, for example). This achieved via domian-relaxing javascript in each of the frames, per IE domain-relaxing rules.

Now that ports are being checked, won't the new port checking deny cross-frame scripting requests? If so, that is a big problem for SAP installs and a restriction that IE and Firefox don't currently have. Protocol I think should be compared, but not the ports, for reason stated above. Please advise.
Comment 4 Sam Weinig 2007-07-30 18:38:37 PDT
The new policy is to not check the port or protocol if document.domain has been explicitly set to the same legal value in both documents.  This policy matches other browsers and should not create an issue for SAP anymore.
Comment 5 Jake Logan 2007-07-30 18:45:50 PDT
(In reply to comment #4)
> The new policy is to not check the port or protocol if document.domain has been
> explicitly set to the same legal value in both documents.  This policy matches
> other browsers and should not create an issue for SAP anymore.
> 

Perfect, that's what we need for SAP.