[Webkit-unassigned] [Bug 208200] New: A SecurityError is thrown when opening indexedDB in an iframe within a same subdomain tree
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Feb 25 08:52:58 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=208200
Bug ID: 208200
Summary: A SecurityError is thrown when opening indexedDB in an
iframe within a same subdomain tree
Product: WebKit
Version: Safari 13
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: Frames
Assignee: webkit-unassigned at lists.webkit.org
Reporter: benoit.fleuriaud at soyhuce.fr
If you open an IndexedDB connection in an iframe, it throws a SecurityError, that is completely normal if you are in a cross-origin context.
But what if you are in a domain, say "a.example.com", and you embed an iframe with "src" equal to "b.a.example.com".
The standard (https://html.spec.whatwg.org/multipage/origin.html#relaxing-the-same-origin-restriction) states that you can relax the same-origin restriction that would usually by applied by setting the "document.domain" to the same Second-Level Domain (SLD) in both parent and child contexts.
In my example, setting "document.domain" to "example.com" in the top window and the iframe window is legit and should put both in a same-origin context.
Here is a reproduction link (http://a.indigital.io) with a minimalist context. The iframe loads http://b.a.indigital.io, which is a subdomain of the opening window.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200225/f14f4f2b/attachment-0001.htm>
More information about the webkit-unassigned
mailing list