[Webkit-unassigned] [Bug 44372] New: Web Inspector: Any time JavaScript touches a window object reference that is cross-domain, the console reports an error.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Aug 20 19:21:18 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=44372

           Summary: Web Inspector: Any time JavaScript touches a window
                    object reference that is cross-domain, the console
                    reports an error.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
               URL: http://www.yahoo.com
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Web Inspector
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ssnider at yahoo-inc.com
                CC: timothy at apple.com, rik at webkit.org, keishi at webkit.org,
                    pmuellr at yahoo.com, joepeck at webkit.org,
                    pfeldman at chromium.org, yurys at chromium.org,
                    bweinstein at apple.com


The web inspector developer console reports an error (even though no exception or error is thrown in JavaScript), any time Javascript
attempts to access a window object reference from a cross-domain site, even-though this is allowed, and in fact is required
in order for frame-busting, and HTML 5 cross-domain/page messaging.


As a simple test, create a web page and publish it to one domain that looks like this:

<html>
   <head><script type="text/javascript"> if (window != top) { alert("Changing location"); top.location.href = location.href; } </script></head>
   <body>
      <H1>Sub-Frame Page</H1>
   </body>
</html>

Save this file as "sub-frame-bust-test.html" or whatever.

Then create a 2nd html page and publish it to a separate domain that looks like this:

<html>
   <head><title>Window Ref Access Test</title></head>
   <body>
     <iframe src="http://[some other domain here]/sub-frame-bust-test.html" style="width:400px;height:250px"></iframe>
  </body>
</html>


Now in the WebKit browser, turn on the developer tools, and access the 2nd page you created above.

You'll notice in the console it presents an error message saying "Unsafe access to page blah from page blah". . . 

THIS IS NOT UNSAFE ACCESS, and is allowed. . . it is required for several things.

The behavior should either be changed to not issue this error in the console, or at least change it too a warning.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list