This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23219 - contentDocument on iframe, object, frame, etc, should do a security check (and then, if that's the last of the ways you can get to Document, we can remove the security checks on Document)
Summary: contentDocument on iframe, object, frame, etc, should do a security check (an...
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-11 20:35 UTC by contributor
Modified: 2013-11-12 21:53 UTC (History)
5 users (show)

See Also:

Attachments

Description contributor 2013-09-11 20:35:06 UTC 
Specification: http://www.whatwg.org/specs/web-apps/current-work/
Multipage: http://www.whatwg.org/C#the-object-element
Complete: http://www.whatwg.org/c#the-object-element
Referrer: 

Comment:
contentDocument on iframe, object, frame, etc, should do a security check (and
then, if that's the last of the ways you can get to Document, we can remove
the security checks on Document)

Posted from: 2620:0:1000:167c:5df3:e6f0:15bb:7617 by ian@hixie.ch
User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1612.2 Safari/537.36
Comment 1 Bobby Holley (:bholley) 2013-09-16 19:12:48 UTC 
Mozilla did this in [1] a little while back. Please let me know if we're at all divergent from the desired behavior here.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=829872
Comment 2 Ian 'Hixie' Hickson 2013-11-12 03:31:07 UTC 
So Safari and Firefox return null, Chrome throws a security exception.

Throwing a security exception does seem more consistent with other places where we try to do this kind of thing. Firefox throws an exception for window.document, for instance. bholley, would you be willing to move Firefox to throwing an exception for cross-origin contentDocument instead of returning null?
Comment 3 Boris Zbarsky 2013-11-12 03:53:48 UTC 
Throwing an exception during a basic for/in loop over some random object from your own web page seems like a bit of an antipattern to me...
Comment 4 Bobby Holley (:bholley) 2013-11-12 16:49:58 UTC 
(In reply to Ian 'Hixie' Hickson from comment #2)
> Throwing a security exception does seem more consistent with other places
> where we try to do this kind of thing. Firefox throws an exception for
> window.document, for instance.

You mean getting |document| off a cross-origin |window| object? That seems very different from getting |contentDocument| off a same-origin iframe element.

As boris noted, I think it would be a shame if enumerating random HTML Elements could cause a security exception.

> bholley, would you be willing to move Firefox
> to throwing an exception for cross-origin contentDocument instead of
> returning null?

Totally willing as an implementor if everyone decides that these are optimal semantics, but I'm not convinced that they are.
Comment 5 Ian 'Hixie' Hickson 2013-11-12 21:49:53 UTC 
Fair enough. I'll make it return null.
Comment 6 contributor 2013-11-12 21:50:49 UTC 
Checked in as WHATWG revision r8272.
Check-in comment: Change iframe, frame, and object.contentDocument to return null when cross-origin documents are involved.
http://html5.org/tools/web-apps-tracker?from=8271&to=8272
Comment 7 contributor 2013-11-12 21:53:12 UTC 
Checked in as WHATWG revision r8273.
Check-in comment: Remove security checks on Document since there should now be no way to get to a Document from another origin.
http://html5.org/tools/web-apps-tracker?from=8272&to=8273