<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<!DOCTYPE bugzilla SYSTEM "https://www.w3.org/Bugs/Public/page.cgi?id=bugzilla.dtd">

<bugzilla version="5.0.4"
          urlbase="https://www.w3.org/Bugs/Public/"
          
          maintainer="sysbot+bugzilla@w3.org"
>

    <bug>
          <bug_id>21674</bug_id>
          
          <creation_ts>2013-04-12 06:50:39 +0000</creation_ts>
          <short_desc>Security: Spec doesn&apos;t match reality for named access to cross-origin frames</short_desc>
          <delta_ts>2017-03-09 08:32:03 +0000</delta_ts>
          <reporter_accessible>1</reporter_accessible>
          <cclist_accessible>1</cclist_accessible>
          <classification_id>1</classification_id>
          <classification>Unclassified</classification>
          <product>WHATWG</product>
          <component>HTML</component>
          <version>unspecified</version>
          <rep_platform>PC</rep_platform>
          <op_sys>All</op_sys>
          <bug_status>RESOLVED</bug_status>
          <resolution>MOVED</resolution>
          
          
          <bug_file_loc></bug_file_loc>
          <status_whiteboard>Hixie, see direct e-mail 15371538</status_whiteboard>
          <keywords></keywords>
          <priority>P2</priority>
          <bug_severity>critical</bug_severity>
          <target_milestone>Unsorted</target_milestone>
          <dependson>20701</dependson>
          
          <everconfirmed>1</everconfirmed>
          <reporter name="Bobby Holley (:bholley)">bobbyholley</reporter>
          <assigned_to name="Ian &apos;Hixie&apos; Hickson">ian</assigned_to>
          <cc>annevk</cc>
    
    <cc>bzbarsky</cc>
    
    <cc>contributor</cc>
    
    <cc>dveditz</cc>
    
    <cc>ian</cc>
    
    <cc>mike</cc>
    
    <cc>w3c</cc>
          
          <qa_contact>contributor</qa_contact>

      

      

      

          <comment_sort_order>oldest_to_newest</comment_sort_order>  
          <long_desc isprivate="0" >
    <commentid>86017</commentid>
    <comment_count>0</comment_count>
    <who name="Bobby Holley (:bholley)">bobbyholley</who>
    <bug_when>2013-04-12 06:50:39 +0000</bug_when>
    <thetext>HTML5 says that the dynamic nested browsing context properties are available cross-origin on Window, but that appears to be indexed access only, not named frame access.

I just put together a testcase: http://people.mozilla.com/~bholley/testcases/cross-origin-named-window/test.html

This testcase returns true in Firefox, Safari, Chrome, Opera (Presto), and IE9. I don&apos;t have a copy of IE10 lying around, but it would be good if someone checked that.

Do we have a reason to believe that the current spec is web-compatible here?</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>86141</commentid>
    <comment_count>1</comment_count>
    <who name="Ian &apos;Hixie&apos; Hickson">ian</who>
    <bug_when>2013-04-13 17:11:31 +0000</bug_when>
    <thetext>This is just an oversight in the spec.

Extra questions:
- Are they enumerable?
- Are named properties other than child browsing context names accessible?
- If not, are they distinguishable from names that otherwise don&apos;t exist?

(I can test this if you don&apos;t have the bandwidth to, but since you&apos;ve already made a cross-origin test case, you might be able to get answers quicker than me!)</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>86145</commentid>
    <comment_count>2</comment_count>
    <who name="Bobby Holley (:bholley)">bobbyholley</who>
    <bug_when>2013-04-13 18:36:57 +0000</bug_when>
    <thetext>(In reply to comment #1)
&gt; This is just an oversight in the spec.
&gt; 
&gt; Extra questions:
&gt; - Are they enumerable?

I updated the testcase a little bit to poke on this. Looks like they&apos;re not in Chrome/Safari, but it&apos;s a bit tricky to determine this from script in Gecko, because enumerating a cross-origin window seems to throw a security exception. I&apos;m pretty sure it didn&apos;t used to, so I&apos;m going to look into that.

&gt; - Are named properties other than child browsing context names accessible?

As mentioned on IRC, I think it would be a major security problem if they were.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>86270</commentid>
    <comment_count>3</comment_count>
    <who name="Daniel Veditz">dveditz</who>
    <bug_when>2013-04-16 06:09:24 +0000</bug_when>
    <thetext>With the updated testcase IE 10 seems to have the same results as Firefox: the script throws an access error on line 9. On Chrome I get an alert with the results &quot;Cross-Origin Named Frame Access Works: true\nEnumerable: false&quot;.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>86294</commentid>
    <comment_count>4</comment_count>
    <who name="Bobby Holley (:bholley)">bobbyholley</who>
    <bug_when>2013-04-16 15:26:31 +0000</bug_when>
    <thetext>(In reply to comment #3)
&gt; With the updated testcase IE 10 seems to have the same results as Firefox:
&gt; the script throws an access error on line 9. On Chrome I get an alert with
&gt; the results &quot;Cross-Origin Named Frame Access Works: true\nEnumerable: false&quot;.

I&apos;ve filed [1] for this. Hixie, can you confirm my interpretation of the spec behavior on that bug?

https://bugzilla.mozilla.org/show_bug.cgi?id=862380</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>88595</commentid>
    <comment_count>5</comment_count>
    <who name="Ian &apos;Hixie&apos; Hickson">ian</who>
    <bug_when>2013-06-03 23:31:55 +0000</bug_when>
    <thetext>Bobby, can you summarise what you think should change in the spec for this?</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>91852</commentid>
    <comment_count>6</comment_count>
    <who name="Bobby Holley (:bholley)">bobbyholley</who>
    <bug_when>2013-08-09 21:46:26 +0000</bug_when>
    <thetext>(In reply to comment #5)
&gt; Bobby, can you summarise what you think should change in the spec for this?

Sorry for the delay here.

Named subframes should be cross-origin accessible just like indexed subframes (they&apos;re essentially a property of the browsing context). They are not enumerable, because cross-origin windows are not enumerable.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>91853</commentid>
    <comment_count>7</comment_count>
    <who name="Boris Zbarsky">bzbarsky</who>
    <bug_when>2013-08-09 21:51:26 +0000</bug_when>
    <thetext>Hmm.  Does getOwnPropertyNames show them?  Named subframes are normally own props of the NamedPropertiesObject, but in the cross-window access case it&apos;s not clear to me whether they should appear to be own properties of the WindowProxy or not.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>91854</commentid>
    <comment_count>8</comment_count>
    <who name="Boris Zbarsky">bzbarsky</who>
    <bug_when>2013-08-09 21:52:56 +0000</bug_when>
    <thetext>Largely because the spec doesn&apos;t actually define what things like getOwnPropertyDescriptor and Object.getPrototypeOf() should do on the WindowProxy in a way that&apos;s compatible with exposing the named subframes (and arguably not in any way at all, because afaict a strict reading of the spec would allow getting the proto cross-origin which can&apos;t possibly be the intention).</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>94117</commentid>
    <comment_count>9</comment_count>
    <who name="Ian &apos;Hixie&apos; Hickson">ian</who>
    <bug_when>2013-10-01 20:53:58 +0000</bug_when>
    <thetext>*** Bug 23218 has been marked as a duplicate of this bug. ***</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>124618</commentid>
    <comment_count>10</comment_count>
    <who name="Anne">annevk</who>
    <bug_when>2016-01-18 12:20:54 +0000</bug_when>
    <thetext>Okay, it seems that in order to fix this we should turn &quot;the browsing context name of any child browsing context of the active document whose name is not the empty string&quot; into its own thing so that it can be referenced both by the Window&apos;s named properties definition and by the set of properties available cross-origin.

Does that make sense?

https://github.com/annevk/html-cross-origin-objects should then take care of the rest.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>124638</commentid>
    <comment_count>11</comment_count>
    <who name="Bobby Holley (:bholley)">bobbyholley</who>
    <bug_when>2016-01-19 20:40:44 +0000</bug_when>
    <thetext>Superficially, that sounds fine. My opinion as of the last time I thought about this issue in detail is summarized in comment 6.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>124652</commentid>
    <comment_count>12</comment_count>
    <who name="Anne">annevk</who>
    <bug_when>2016-01-20 15:25:19 +0000</bug_when>
    <thetext>https://github.com/whatwg/html/pull/544</thetext>
  </long_desc>
      
      

    </bug>

</bugzilla>