[Webkit-unassigned] [Bug 235893] New: Accessing `window.frameElement` should not report error if parent is cross-origin

Mon Jan 31 08:37:06 PST 2022

https://bugs.webkit.org/show_bug.cgi?id=235893

            Bug ID: 235893
           Summary: Accessing `window.frameElement` should not report
                    error if parent is cross-origin
           Product: WebKit
           Version: Safari 15
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: robertknight at gmail.com

Calling `window.frameElement` from an iframe with a cross-origin parent returns `null` in Chrome, Firefox and Safari. In Safari it additionally results in a console error with the text "Blocked a frame with origin $IFRAME_ORIGIN from accessing a frame with origin $PARENT_ORIGIN. Protocols, domains and ports must match." In Chrome/Firefox no such error is reported.

The specification [1] just says that the access should return null in this situation, it doesn't mention this access being an error. It looks like this may relate to a standards change described in https://github.com/whatwg/html/pull/266.

We came across this as our application had code that checked for null-ness of `window.frameElement` and then executed different code depending on whether the child frame can reach into the parent or not. Both cases are regarded as non-error scenarios in our context.

[1] https://html.spec.whatwg.org/multipage/browsers.html#dom-frameelement

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220131/91b79dea/attachment-0001.htm>