Bug 235893 - Accessing `window.frameElement` should not report error if parent is cross-origin
Summary: Accessing `window.frameElement` should not report error if parent is cross-or...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: Safari 15
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-01-31 08:37 PST by Robert Knight
Modified: 2022-02-07 08:38 PST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Knight 2022-01-31 08:37:06 PST 
Calling `window.frameElement` from an iframe with a cross-origin parent returns `null` in Chrome, Firefox and Safari. In Safari it additionally results in a console error with the text "Blocked a frame with origin $IFRAME_ORIGIN from accessing a frame with origin $PARENT_ORIGIN. Protocols, domains and ports must match." In Chrome/Firefox no such error is reported.

The specification [1] just says that the access should return null in this situation, it doesn't mention this access being an error. It looks like this may relate to a standards change described in https://github.com/whatwg/html/pull/266.

We came across this as our application had code that checked for null-ness of `window.frameElement` and then executed different code depending on whether the child frame can reach into the parent or not. Both cases are regarded as non-error scenarios in our context.

[1] https://html.spec.whatwg.org/multipage/browsers.html#dom-frameelement
Comment 1 Sam Sneddon [:gsnedders] 2022-01-31 09:53:41 PST 
Note this is only a message in the console; window.frameElement does return null in the cross-origin case as far as I can tell.

There's nothing standardised about what does and doesn't get put in the console (as errors, warnings, or in any other form). I _believe_ (but I'm not totally sure!) that the current WebKit behaviour is to log in the console for any blocked cross-origin access. Do you think that logging when no exception is thrown is confusing, or that logging an error when no exception is thrown is confusing?

(http://wpt.live/html/browsers/windows/nested-browsing-contexts/frameElement.sub.html covers this case, and we indeed pass all the tests.)
Comment 2 Robert Knight 2022-01-31 23:16:01 PST 
I acknowledge the standard doesn't say anything about what gets logged in the browser console. I found it confusing though that a console error was logged even though no exception occurred and the code triggering the error was not doing something that the specs/MDN docs indicated as being deprecated or bad practice.

The code in question looks something like:

```
if (window.frameElement) {
  // Execute some logic that makes use of information about the iframe
  // containing this document.
} else {
  // Fallback for cross-origin case.
}
```

While looking at this I found we also have some code that triggers the same error but from the other side, using the `iframe.contentDocument` property to test whether an iframe is same-origin.
Comment 3 Radar WebKit Bug Importer 2022-02-07 08:38:19 PST 
<rdar://problem/88573609>