Bug 6281 - window.frames["frameName"].document does not work in Safari due to security checks
Summary: window.frames["frameName"].document does not work in Safari due to security c...
Status: RESOLVED WONTFIX
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P3 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-28 22:38 PST by Eric Seidel (no email)
Modified: 2006-03-20 02:48 PST (History)
0 users

See Also:

Attachments
Test case (410 bytes, text/html)
2005-12-28 22:40 PST, Eric Seidel (no email) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Seidel (no email) 2005-12-28 22:38:37 PST 
window.frames["frameName"].document does not work in Safari

See test case.
Comment 1 Eric Seidel (no email) 2005-12-28 22:40:30 PST 
Created attachment 5347 [details]
Test case
Comment 2 Eric Seidel (no email) 2005-12-28 22:44:01 PST 
Hum, I'm wondering if this is a security issue... as the code looks like we should support this.  FireFox 
allows this test case to work.
Comment 3 Eric Seidel (no email) 2005-12-28 22:46:37 PST 
Yes, this seems to be due to security checks.  Now the question becomes, why does firefox allow this (at 
least from in the file:// to http://apple.com case).
Comment 4 Geoffrey Garen 2005-12-28 22:55:28 PST 
I think we need to add a check for whether the requesting frame is the parent of the requested frame, and 
allow that. Although I *don't* think that child frames get access to the parent frame -- in any browser.
Comment 5 Geoffrey Garen 2005-12-28 22:56:54 PST 
On the other hand, what if a phishing site opens your bank site in a child frame and then scoops your 
data? Doesn't seem like we should allow that.
Comment 6 Maciej Stachowiak 2006-03-20 02:48:14 PST 
This is due to security restrictions. Firefox has a slightly different model. Instead of keeping you from getting the document object at all on a frame where you don't have access, they give you the document but keep you from accessing most of its properties. I think we should keep the current model because it is simpler and therefore likely to be more robust.