Issue 406143004: Bugfix in html_dart2js: Detect window objects in a way compatible with cross domain iframes

Issue 406143004: Bugfix in html_dart2js: Detect window objects in a way compatible with cross domain iframes (Closed)

Created:
6 years, 5 months ago by kustermann

Modified:
6 years, 5 months ago

Reviewers:
floitsch, blois

CC:
reviews_dartlang.org, floitsch

Base URL:
https://dart.googlecode.com/svn/branches/bleeding_edge

Visibility:
Public.

More Reviews

Description

Bugfix in html_dart2js: Detect window objects in a way compatible with cross domain iframes The "setTimeout" member in window object can only be accessed if the window object is from the same origin. Cross origin windows will throw a security error exception. This is fixed by checking for "postMessage" in the window object (which can be accessed even in cross-origin windows). BUG=http://dartbug.com/20166 R=blois@google.com Committed: https://code.google.com/p/dart/source/detail?r=38517

Patch Set 1 #

Total comments: 6

Patch Set 2 : Use 'postMessage', change tools/dom/src/dart2js_Conversions.dart #

Created: 6 years, 5 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+47 lines, -4 lines)			Patch
M	dart/sdk/lib/html/dart2js/html_dart2js.dart	View		1 chunk	+2 lines, -2 lines	0 comments	Download
A	dart/tests/html/cross_domain_iframe_script.html	View	1	1 chunk	+14 lines, -0 lines	0 comments	Download
A	dart/tests/html/cross_domain_iframe_test.dart	View	1	1 chunk	+29 lines, -0 lines	0 comments	Download
M	dart/tools/dom/src/dart2js_Conversions.dart	View	1	1 chunk	+2 lines, -2 lines	0 comments	Download

Messages

Total messages: 6 (0 generated)

Expand Messages | Collapse Messages

blois

https://codereview.chromium.org/406143004/diff/1/dart/sdk/lib/html/dart2js/html_dart2js.dart File dart/sdk/lib/html/dart2js/html_dart2js.dart (right): https://codereview.chromium.org/406143004/diff/1/dart/sdk/lib/html/dart2js/html_dart2js.dart#newcode35439 dart/sdk/lib/html/dart2js/html_dart2js.dart:35439: + // Assume it's a Window if it contains ...

6 years, 5 months ago (2014-07-23 17:35:04 UTC) #2

floitsch

https://codereview.chromium.org/406143004/diff/1/dart/sdk/lib/html/dart2js/html_dart2js.dart File dart/sdk/lib/html/dart2js/html_dart2js.dart (right): https://codereview.chromium.org/406143004/diff/1/dart/sdk/lib/html/dart2js/html_dart2js.dart#newcode35442 dart/sdk/lib/html/dart2js/html_dart2js.dart:35442: + if (JS('bool', r'"self" in # && "window" in ...

6 years, 5 months ago (2014-07-23 17:57:36 UTC) #3

kustermann

Thanks, PTAL https://codereview.chromium.org/406143004/diff/1/dart/sdk/lib/html/dart2js/html_dart2js.dart File dart/sdk/lib/html/dart2js/html_dart2js.dart (right): https://codereview.chromium.org/406143004/diff/1/dart/sdk/lib/html/dart2js/html_dart2js.dart#newcode35439 dart/sdk/lib/html/dart2js/html_dart2js.dart:35439: + // Assume it's a Window if ...

6 years, 5 months ago (2014-07-23 20:10:49 UTC) #4

Thanks, PTAL

https://codereview.chromium.org/406143004/diff/1/dart/sdk/lib/html/dart2js/ht...
File dart/sdk/lib/html/dart2js/html_dart2js.dart (right):

https://codereview.chromium.org/406143004/diff/1/dart/sdk/lib/html/dart2js/ht...
dart/sdk/lib/html/dart2js/html_dart2js.dart:35439: +  // Assume it's a Window if
it contains the self/window properties.  It may be
On 2014/07/23 17:35:04, blois wrote:
> This change needs to be made in:
>
https://code.google.com/p/dart/source/browse/branches/bleeding_edge/dart/tool...
> 
> Then from tools/dom/scripts, run go.sh.
> 
> (Then revert any changes to sdk/lib/_blink/dartium/_blink_dartium.dart :( )

Done.

https://codereview.chromium.org/406143004/diff/1/dart/sdk/lib/html/dart2js/ht...
dart/sdk/lib/html/dart2js/html_dart2js.dart:35442: +  if (JS('bool', r'"self" in
# && "window" in #', e, e)) {
On 2014/07/23 17:57:36, floitsch wrote:
> On 2014/07/23 17:35:04, blois wrote:
> > The primary API exposed by _DOMWindowCrossFrame is postMessage- perhaps just
> > change setInterval to postMessage? The 'self' and 'window' check seems a bit
> > broad.
> > 
> 
> That would bring it back to being a security violation. (Unless I'm missing
> something and "postMessage" can also be accessed).

That's actually not a security violation, because frames/windows of different
origins can communicate with each other using postMessage.

https://codereview.chromium.org/406143004/diff/1/dart/sdk/lib/html/dart2js/ht...
dart/sdk/lib/html/dart2js/html_dart2js.dart:35442: +  if (JS('bool', r'"self" in
# && "window" in #', e, e)) {
On 2014/07/23 17:35:04, blois wrote:
> The primary API exposed by _DOMWindowCrossFrame is postMessage- perhaps just
> change setInterval to postMessage? The 'self' and 'window' check seems a bit
> broad.
> 

Good point. Done.

[I searched a bit on the internet but was unable to find a spec which attributes
are whitelisted (so far I know about:postMessage, self, window and frames).

kustermann

6 years, 5 months ago (2014-07-23 20:16:43 UTC) #6

Message was sent while issue was closed.

Committed patchset #2 manually as r38517 (presubmit successful).

Expand Messages | Collapse Messages