RESOLVED FIXED 81970
Web Inspector: x-frame security errors logged when typing in the console are annoying.
https://bugs.webkit.org/show_bug.cgi?id=81970
Summary Web Inspector: x-frame security errors logged when typing in the console are ...
David Levin
Reported 2012-03-22 14:42:59 PDT
Created attachment 133350 [details] outer frame 1. Save the two html documents to your local hard drive. 2. open test_iframe.html 3. open inspector and put a breakpoint in foo() 4. in the console type "window.frameElement" (Don't paste it. Actually type it.) or "window.parent.location", etc. Note that you get lots of "Unsafe JavaScript attempt to access frame with URL" errors in the console output as you type. This makes using the console really painful. Other: * These steps as given may only repro with browsers like chromium that treat all local files as different security origins. (You need the inner frame to be a different security origin to repro the issue.) * In my case, the errors don't collapse together (like they did for me in this simple example) -- perhaps that is because they have a stack trace.
Attachments
outer frame (72 bytes, text/html)
2012-03-22 14:42 PDT, David Levin
no flags
inner frame (104 bytes, text/html)
2012-03-22 14:43 PDT, David Levin
no flags
Patch (22.95 KB, patch)
2012-04-18 08:03 PDT, Vsevolod Vlasov
no flags
Patch (23.04 KB, patch)
2012-04-18 09:44 PDT, Vsevolod Vlasov
no flags
Patch (23.03 KB, patch)
2012-04-18 11:07 PDT, Vsevolod Vlasov
no flags
Patch (35.13 KB, patch)
2012-04-19 07:54 PDT, Vsevolod Vlasov
no flags
David Levin
Comment 1 2012-03-22 14:43:32 PDT
Created attachment 133351 [details] inner frame
Vsevolod Vlasov
Comment 2 2012-04-18 08:03:29 PDT
Build Bot
Comment 3 2012-04-18 08:27:10 PDT
Pavel Feldman
Comment 4 2012-04-18 08:31:34 PDT
Comment on attachment 137688 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=137688&action=review > Source/WebCore/inspector/PageRuntimeAgent.cpp:72 > + Frame* mainFrame = m_inspectedPage->mainFrame(); I would use a counter here. > Source/WebCore/inspector/PageRuntimeAgent.cpp:74 > + for (Frame* frame = mainFrame; frame; frame = frame->tree()->traverseNext(mainFrame)) I would use a static counter on console instead.
Vsevolod Vlasov
Comment 5 2012-04-18 09:44:43 PDT
Build Bot
Comment 6 2012-04-18 10:13:58 PDT
Vsevolod Vlasov
Comment 7 2012-04-18 11:07:52 PDT
Pavel Feldman
Comment 8 2012-04-19 03:26:08 PDT
Comment on attachment 137725 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=137725&action=review > Source/WebCore/page/Console.cpp:59 > + int s_muteCount = 0; Either declare it in the Console.h or stop using the s_ prefix.
Vsevolod Vlasov
Comment 9 2012-04-19 06:28:46 PDT
Csaba Osztrogonác
Comment 10 2012-04-19 07:38:22 PDT
Reopen, because it broke the debug build on Qt: ../../../../Source/WebCore/inspector/InspectorDebuggerAgent.cpp: In member function ‘virtual void WebCore::InspectorDebuggerAgent::evaluateOnCallFrame(WebCore::ErrorString*, const WTF::String&, const WTF::String&, const WTF::String*, const bool*, const bool*, const bool*, WTF::RefPtr<WebCore::TypeBuilder::Runtime::RemoteObject>&, WebCore::TypeBuilder::OptOutput<bool>*)’: ../../../../Source/WebCore/inspector/InspectorDebuggerAgent.cpp:492: error: no match for ‘operator!’ in ‘!WebCore::InspectorDebuggerAgent::scriptDebugServer()’ ../../../../Source/WebCore/inspector/InspectorDebuggerAgent.cpp:492: note: candidates are: operator!(bool) <built-in>
Vsevolod Vlasov
Comment 11 2012-04-19 07:54:41 PDT
Vsevolod Vlasov
Comment 12 2012-04-19 08:34:48 PDT
Timothy Hatcher
Comment 13 2012-04-26 18:18:16 PDT
Renaming the existing doNotPauseOnExceptions parameter to doNotPauseOnExceptionsAndMuteConsole breaks backward compatibility with version 1.0 of the protocol. Renames should not be allowed. Am I correct? If so I'll file a bug about making the compatibility checking catch such things.
Pavel Feldman
Comment 14 2012-04-27 04:46:50 PDT
(In reply to comment #13) > Renaming the existing doNotPauseOnExceptions parameter to doNotPauseOnExceptionsAndMuteConsole breaks backward compatibility with version 1.0 of the protocol. Renames should not be allowed. > > Am I correct? If so I'll file a bug about making the compatibility checking catch such things. We do not guarantee compatibility of the hidden members (methods, parameters, etc). It is explicitly stated in the announcement and these members are missing in the documentation.
Timothy Hatcher
Comment 15 2012-04-27 07:06:08 PDT
(In reply to comment #14) > (In reply to comment #13) > > Renaming the existing doNotPauseOnExceptions parameter to doNotPauseOnExceptionsAndMuteConsole breaks backward compatibility with version 1.0 of the protocol. Renames should not be allowed. > > > > Am I correct? If so I'll file a bug about making the compatibility checking catch such things. > > We do not guarantee compatibility of the hidden members (methods, parameters, etc). It is explicitly stated in the announcement and these members are missing in the documentation. Sorry, I overlooked the fact that it was hidden. Too many things are hidden, so the protocol is pretty useless without using hidden members. What is your process and timeframe for unhiding minor things like this?
Pavel Feldman
Comment 16 2012-05-02 02:08:06 PDT
> What is your process and timeframe for unhiding minor things like this? There is really no process / schedule for that. You should probably file bugs for such changes.
Note You need to log in before you can comment on or make changes to this bug.