This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23218 - <iframe name=foo> should be able to access parent.window.foo, even cross-origin, according to Gecko and Safari.
Summary: <iframe name=foo> should be able to access parent.window.foo, even cross-orig...
Status: RESOLVED DUPLICATE of bug 21674
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-11 20:26 UTC by contributor
Modified: 2013-10-01 20:53 UTC (History)
5 users (show)

See Also:

Attachments

Description contributor 2013-09-11 20:26:33 UTC 
Specification: http://www.whatwg.org/specs/web-apps/current-work/
Multipage: http://www.whatwg.org/C#security-2
Complete: http://www.whatwg.org/c#security-2
Referrer: 

Comment:
<iframe name=foo> should be able to access parent.window.foo, even
cross-origin, according to Gecko and Safari.

Posted from: 216.239.45.72 by ian@hixie.ch
User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1612.2 Safari/537.36
Comment 1 Ian 'Hixie' Hickson 2013-09-11 20:26:59 UTC 
TESTCASE
http://www.hixie.ch/tests/adhoc/dom/level0/window/security/001.html

Chrome fails this. (cc abarth)
Comment 2 Ian 'Hixie' Hickson 2013-09-11 21:32:09 UTC 
Er, ignore that test. I changed it afterwards. It's testing something else.
Comment 3 Boris Zbarsky 2013-09-16 03:17:02 UTC 
I've been trying to see if we can drop this in Gecko: disallow all cross-origin access to named _or_ indexed stuff on windows....  Web compatible?
Comment 4 Ian 'Hixie' Hickson 2013-09-16 17:50:19 UTC 
I would definitely be in favour of dropping this if you can, but I would be surprised if it was Web compatible.
Comment 5 Bobby Holley (:bholley) 2013-09-16 19:34:39 UTC 
(In reply to Ian 'Hixie' Hickson from comment #4)
> I would definitely be in favour of dropping this if you can, but I would be
> surprised if it was Web compatible.

I'm going to give it a try. I've filed [1] and [2].

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=916939
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=916945
Comment 6 Ian 'Hixie' Hickson 2013-09-17 20:00:33 UTC 
Cool, I'll wait to see what happens before fixing the spec then. Hopefully that'll make you happy bz, since you've complained about the opposite in the past. :-)
Comment 7 Boris Zbarsky 2013-09-17 20:02:05 UTC 
I can clearly never be happy.  MWAHAHA!  ;)
Comment 8 Bobby Holley (:bholley) 2013-09-20 17:38:49 UTC 
(In reply to Bobby Holley (:bholley) from comment #5)
> (In reply to Ian 'Hixie' Hickson from comment #4)
> > I would definitely be in favour of dropping this if you can, but I would be
> > surprised if it was Web compatible.
> 
> I'm going to give it a try. I've filed [1] and [2].
> 
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=916939

This one (dropping support for named access on cross-origin windows) broke Google Hangouts, so I backed it out. I think it's pretty doomed.

> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=916945

This one involves subframes polluting the scope of their parent. I came up with a trick here that I think will make it web-compatible. We'll see soon enough.
Comment 9 Ian 'Hixie' Hickson 2013-10-01 20:53:58 UTC 
This is really bug 21674, right? I'm marking this as a dupe, reopen it if I missed something.


> > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=916945
> 
> This one involves subframes polluting the scope of their parent. I came up
> with a trick here that I think will make it web-compatible. We'll see soon
> enough.

If you manage that, please file a new bug to cover it.

*** This bug has been marked as a duplicate of bug 21674 ***