If a subframe navigates to a new security origin, Web Inspector hits XSS security checks. To reproduce, put the attached test case into LayoutTests/http/tests, start Apache with run-webkit-httpd, and open the test as http://127.0.0.1:8000/main.html. If the Inspector is open while running the test, I'm getting 5 error messages. If it is opened after the test finishes, I'm getting two (but they are generated when opening Inspector, not earlier). Tested with r36712 nightly and with a local debug build. #0 0x0392f160 in WebCore::JSDOMWindowBase::crossDomainAccessErrorMessage at JSDOMWindowBase.cpp:793 #1 0x03562bb6 in WebCore::JSDOMWindowBase::allowsAccessFrom at JSDOMWindowCustom.h:145 #2 0x038bf5db in WebCore::allowsAccessFromFrame at JSDOMBinding.cpp:331 #3 0x038bf626 in WebCore::checkNodeSecurity at JSDOMBinding.cpp:323 #4 0x03559c0b in WebCore::JSDOMWindow::getValueProperty at JSDOMWindow.cpp:532 #5 0x03562c20 in JSC::staticValueGetter<WebCore::JSDOMWindow> at lookup.h:116 #6 0x032ab76d in JSC::PropertySlot::getValue at PropertySlot.h:63 #7 0x0399effe in WebCore::JSQuarantinedObjectWrapper::getOwnPropertySlot at JSQuarantinedObjectWrapper.cpp:114 #8 0x008ea63f in JSC::JSValue::get at JSObject.h:432 #9 0x008d5224 in JSC::Machine::cti_op_get_by_id_generic at Machine.cpp:4270 #10 0x1d99828a in ?? #11 0x008d872e in JSC::Machine::execute at Machine.cpp:963 #12 0x0082fe67 in JSC::JSFunction::call at JSFunction.cpp:70 #13 0x0082ff03 in JSC::call at CallData.cpp:39 #14 0x008d179c in JSObjectCallAsFunction at JSObjectRef.cpp:305 #15 0x03521327 in WebCore::InspectorController::callFunction at InspectorController.cpp:147 #16 0x035234f7 in WebCore::InspectorController::inspectedWindowScriptObjectCleared at InspectorController.cpp:1272 #17 0x0343a410 in WebCore::FrameLoader::dispatchWindowObjectAvailable at FrameLoader.cpp:4850 ...
Created attachment 23647 [details] Test case for LayoutTests/http/tests
The attached test uses a data: URL, but I was originally seeing this with two http: ones.
I am pretty sure it was caused by this change: http://trac.webkit.org/changeset/34109
Here's an updated backtrace that shows the error message is generated while trying to access the contentDocument of the <iframe>: WebKit_debug.dll!WebCore::JSDOMWindowBase::crossDomainAccessErrorMessage(const JSC::JSGlobalObject * other=0x0be652e0) Line 178 C++ WebKit_debug.dll!WebCore::JSDOMWindowBase::allowsAccessFrom(JSC::ExecState * exec=0x0ac5a7bc) Line 166 + 0x15 bytes C++ WebKit_debug.dll!WebCore::allowsAccessFromFrame(JSC::ExecState * exec=0x0ac5a7bc, WebCore::Frame * frame=0x072c9688) Line 496 + 0x12 bytes C++ WebKit_debug.dll!WebCore::checkNodeSecurity(JSC::ExecState * exec=0x0ac5a7bc, WebCore::Node * node=0x07628b08) Line 488 + 0x1f bytes C++ WebKit_debug.dll!WebCore::jsHTMLIFrameElementContentDocument(JSC::ExecState * exec=0x0ac5a7bc, const JSC::Identifier & __formal={...}, const JSC::PropertySlot & slot={...}) Line 229 + 0x12 bytes C++ WebKit_debug.dll!JSC::PropertySlot::getValue(JSC::ExecState * exec=0x0ac5a7bc, const JSC::Identifier & propertyName={...}) Line 63 + 0x19 bytes C++ > WebKit_debug.dll!WebCore::JSQuarantinedObjectWrapper::getOwnPropertySlot(JSC::ExecState * exec=0x0a01887c, const JSC::Identifier & identifier={...}, JSC::PropertySlot & slot={...}) Line 116 C++ JavaScriptCore_debug.dll!JSC::JSCell::fastGetOwnPropertySlot(JSC::ExecState * exec=0x0a01887c, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 332 + 0x1b bytes C++ JavaScriptCore_debug.dll!JSC::JSValuePtr::get(JSC::ExecState * exec=0x0a01887c, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 485 + 0x14 bytes C++ JavaScriptCore_debug.dll!JSC::JITStubs::cti_op_get_by_id_generic(void * * args=0x0012f120) Line 477 C++ JavaScriptCore_debug.dll!JSC::JITStubs::cti_op_convert_this() + 0xff bytes C++ JavaScriptCore_debug.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x07537100, JSC::ExecState * callFrame=0x0a018664, JSC::JSGlobalData * globalData=0x07522608, JSC::JSValuePtr * exception=0x07522b54) Line 86 + 0x21 bytes C++ JavaScriptCore_debug.dll!JSC::Interpreter::execute(JSC::FunctionBodyNode * functionBodyNode=0x0ab6cfd0, JSC::ExecState * callFrame=0x0aba44c4, JSC::JSFunction * function=0x0c2158a0, JSC::JSObject * thisObj=0x0c216240, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x0af6bbd8, JSC::JSValuePtr * exception=0x07522b54) Line 695 + 0x2d bytes C++ JavaScriptCore_debug.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0aba44c4, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...}) Line 82 + 0x4d bytes C++ JavaScriptCore_debug.dll!JSC::call(JSC::ExecState * exec=0x0aba44c4, JSC::JSValuePtr functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...}) Line 39 + 0x23 bytes C++ WebKit_debug.dll!WebCore::ScriptFunctionCall::call(bool & hadException=false, bool reportExceptions=true) Line 126 + 0x2f bytes C++ WebKit_debug.dll!WebCore::InspectorResource::createScriptObject(JSC::ExecState * scriptState=0x0aba44c4, const WebCore::ScriptObject & webInspector={...}) Line 146 + 0x18 bytes C++ WebKit_debug.dll!WebCore::InspectorController::populateScriptObjects() Line 770 + 0x39 bytes C++ WebKit_debug.dll!WebCore::InspectorController::setWindowVisible(bool visible=true, bool attached=false) Line 383 C++ WebKit_debug.dll!WebInspectorClient::showWindow() Line 215 C++ WebKit_debug.dll!WebCore::InspectorController::showWindow() Line 679 + 0x15 bytes C++ WebKit_debug.dll!WebCore::InspectorController::scriptObjectReady() Line 597 C++ WebKit_debug.dll!WebCore::jsInspectorControllerPrototypeFunctionLoaded(JSC::ExecState * exec=0x0a0181d4, JSC::JSObject * __formal=0x0c2102e0, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...}) Line 227 C++ JavaScriptCore_debug.dll!JSC::JITStubs::cti_op_call_NotJSFunction(void * * args=0x0012f638) Line 947 + 0x2b bytes C++ JavaScriptCore_debug.dll!JSC::JITStubs::cti_op_convert_this() + 0xff bytes C++ JavaScriptCore_debug.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x07537100, JSC::ExecState * callFrame=0x0a01802c, JSC::JSGlobalData * globalData=0x07522608, JSC::JSValuePtr * exception=0x07522b54) Line 86 + 0x21 bytes C++ JavaScriptCore_debug.dll!JSC::Interpreter::execute(JSC::FunctionBodyNode * functionBodyNode=0x0a9d0158, JSC::ExecState * callFrame=0x0aba44c4, JSC::JSFunction * function=0x0be68ae0, JSC::JSObject * thisObj=0x0be690c0, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x0afae210, JSC::JSValuePtr * exception=0x07522b54) Line 695 + 0x2d bytes C++ JavaScriptCore_debug.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0aba44c4, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...}) Line 82 + 0x4d bytes C++ JavaScriptCore_debug.dll!JSC::call(JSC::ExecState * exec=0x0aba44c4, JSC::JSValuePtr functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...}) Line 39 + 0x23 bytes C++ WebKit_debug.dll!WebCore::JSEventListener::handleEvent(WebCore::Event * event=0x0acdfdc8, bool isWindowEvent=false) Line 132 + 0x32 bytes C++ WebKit_debug.dll!WebCore::Node::handleLocalEvents(WebCore::Event * event=0x0acdfdc8, bool useCapture=false) Line 2353 + 0x20 bytes C++ WebKit_debug.dll!WebCore::Node::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event> prpEvent={...}) Line 2474 + 0x1d bytes C++ WebKit_debug.dll!WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event> e={...}, int & ec=0) Line 2407 + 0x12 bytes C++ WebKit_debug.dll!WebCore::Node::dispatchEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false) Line 2785 C++ WebKit_debug.dll!WebCore::HTMLScriptElement::dispatchLoadEvent() Line 220 C++ WebKit_debug.dll!WebCore::ScriptElementData::execute(WebCore::CachedScript * cachedScript=0x0ae24918) Line 202 + 0x15 bytes C++ WebKit_debug.dll!WebCore::Document::executeScriptSoonTimerFired(WebCore::Timer<WebCore::Document> * timer=0x0ae84740) Line 4142 C++ WebKit_debug.dll!WebCore::Timer<WebCore::Document>::fired() Line 98 + 0x29 bytes C++ WebKit_debug.dll!WebCore::ThreadTimers::fireTimers(double fireTime=1241024531.9553940, const WTF::Vector<WebCore::TimerBase *,0> & firingTimers=[2](0x0ae84740 {m_nextFireTime=??? m_repeatInterval=??? m_heapIndex=??? ...},0x0ae24ab8 {m_nextFireTime=??? m_repeatInterval=??? m_heapIndex=??? ...})) Line 111 + 0xf bytes C++ WebKit_debug.dll!WebCore::ThreadTimers::sharedTimerFiredInternal() Line 143 C++ WebKit_debug.dll!WebCore::ThreadTimers::sharedTimerFired() Line 123 C++ WebKit_debug.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd=0x00060774, unsigned int message=49577, unsigned int wParam=0, long lParam=0) Line 101 + 0x8 bytes C++
The user-visible effect of these errors is that the Elements panel doesn't descend into subframes. Retitling.
<rdar://problem/6838965>
By running old builds, I've determined that this regression happened between r31886 (descending into subframes works) and r31906 (descending into subframes doesn't work). The most likely candidate by far is r31890, which introduced JSQuarantinedObjectWrapper and friends. <http://trac.webkit.org/changeset/31890>
Maybe Sam or Adam has some ideas about how to safely access subframes from different security origins without causing security problems.
(In reply to comment #8) > Maybe Sam or Adam has some ideas about how to safely access subframes from > different security origins without causing security problems. It's been a while since I looked at this code, but it sounds like we're using the wrong security origin for the access check. Meaning, we're using the page's security origin instead of the inspector's origin.
This has been fixed with the native InspectorDOMAgent.