[Webkit-unassigned] [Bug 228270] Elements cloned into an iframe cannot be accessed by webdriver

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 27 08:54:01 PDT 2021


Sam Sneddon [:gsnedders] <gsnedders at apple.com> changed:

           What    |Removed                     |Added
                 CC|                            |gsnedders at apple.com

--- Comment #3 from Sam Sneddon [:gsnedders] <gsnedders at apple.com> ---
Comment on attachment 434175
  --> https://bugs.webkit.org/attachment.cgi?id=434175

View in context: https://bugs.webkit.org/attachment.cgi?id=434175&action=review

(Non-reviewer r-)

> Source/WebKit/WebProcess/Automation/WebAutomationSessionProxy.js:213
> +          (value.nodeType == NodeType.ELEMENT || value.nodeType == NodeType.DOCUMENT || value instanceof ShadowRoot);

The "value instanceof ShadowRoot" check still suffers from the exact same problem as described above.

My suggestion here would be something like:

let constructor = value.constructor;
do {
    if (constructor.name === "Element") return true;
} while(constructor = Object.getPrototypeOf(constructor));
return false;

(With whatever else is needed to make that safe, not thought too much about this! Still need to check that value is a non-null object, at least.)

Also: per spec this is just used by https://w3c.github.io/webdriver/#dfn-internal-json-clone-algorithm, and in that case per spec we simply want to check if its an instanceof Element; so do we even want to allow other Nodes?

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210727/86b326d9/attachment.htm>

More information about the webkit-unassigned mailing list