WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
UNCONFIRMED
Bug 44372
Web Inspector: Any time JavaScript touches a window object reference that is cross-domain, the console reports an error.
https://bugs.webkit.org/show_bug.cgi?id=44372
Summary
Web Inspector: Any time JavaScript touches a window object reference that is ...
Sean Snider
Reported
2010-08-20 19:21:18 PDT
The web inspector developer console reports an error (even though no exception or error is thrown in JavaScript), any time Javascript attempts to access a window object reference from a cross-domain site, even-though this is allowed, and in fact is required in order for frame-busting, and HTML 5 cross-domain/page messaging. As a simple test, create a web page and publish it to one domain that looks like this: <html> <head><script type="text/javascript"> if (window != top) { alert("Changing location"); top.location.href = location.href; } </script></head> <body> <H1>Sub-Frame Page</H1> </body> </html> Save this file as "sub-frame-bust-test.html" or whatever. Then create a 2nd html page and publish it to a separate domain that looks like this: <html> <head><title>Window Ref Access Test</title></head> <body> <iframe src="
http://[some
other domain here]/sub-frame-bust-test.html" style="width:400px;height:250px"></iframe> </body> </html> Now in the WebKit browser, turn on the developer tools, and access the 2nd page you created above. You'll notice in the console it presents an error message saying "Unsafe access to page blah from page blah". . . THIS IS NOT UNSAFE ACCESS, and is allowed. . . it is required for several things. The behavior should either be changed to not issue this error in the console, or at least change it too a warning.
Attachments
Add attachment
proposed patch, testcase, etc.
Pavel Feldman
Comment 1
2010-08-23 22:47:11 PDT
>> Now in the WebKit browser, turn on the developer tools, and access the 2nd page you created above.
Please clarify what you are doing in this step and when exactly it should be done.
Sean Snider
Comment 2
2010-10-07 16:23:25 PDT
What I mean is create the 2 test pages and place them on web servers, one on each domain. It seems that any attempt to access a window reference results in an error message logged to the console, even though it is not an error. When this code from the samples runs, if you open the developer console you'll see stuff like this: "Unsafe JavaScript attempt to access frame with URL
http://foo.com/sub-page.html
from frame with URL
http://bar.com/top-page.html
Domains, protocols and ports must match." However this is not true. . the do not have to match in many cases such as busting out of an iframe, or setting the top location etc.
Sean Snider
Comment 3
2011-03-30 14:18:45 PDT
Any update on this? Its quite annoying. Basically what's happening is anytime you have JS code that "touches" a window reference from another domain, WebKit logs an "exception" in the console (not a warning), even though there is no real exception thrown to Javascript, and this is not illegal. Often times you might have JS code that looks like this: if (self !== top) { /* bust out of iframe */) Or top.postMessage("mymsg", "*"); Where the js code presented here is inside an iframe, that has an x-domain location. This is illustrated in the test pages attached, but you'll need to have access to 2 different domains to test it (or use a host file and what not to acheive it).
Alexey Proskuryakov
Comment 4
2011-03-30 14:25:38 PDT
See also:
bug 45622
.
Radar WebKit Bug Importer
Comment 5
2014-12-17 11:21:07 PST
<
rdar://problem/19281469
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug