Treat ArrayBuffers from another context as valid #170
Conversation
Fixes: #166 ArrayBuffers from another context (i.e. an iframe) do not pass the `instanceof` check but they should be treated as valid.
|
cc @jvilk |
|
@feross do you want to add a test for this case? It looks like you run browser tests. If you can access the DOM during these tests (& only run the test in the browser environment), we can inject an iframe and construct an arraybuffer using its constructor. |
|
Here's an (mostly untested) example demonstrating how this might be accomplished. Due to cross-origin issues, you need to create a data URI iframe that creates another data URI iframe and returns the result to the test context via a const childFrameHTML = `<head>
<!-- Needs to be the proper URL to buffer. -->
<script type="text/javascript" src="buffer.js"></script>
</head>
<body>
<script type="text/javascript">
const iframe = document.createElement("iframe");
iframe.src = 'data:text/html;base64,';
document.body.appendChild(iframe);
const ab = new iframe.contentWindow.ArrayBuffer(10);
const u8arr = new Uint8Array(ab);
const b = Buffer.from(ab);
u8arr[0] = 3;
window.top.postMessage('' + (b[0] === 3), "*");
</script></body>`;
const iframe = document.createElement("iframe");
iframe.onmessage = function(e) {
console.assert(e.data === "true");
};
iframe.src = 'data:text/html;base64,' + Buffer.from(childFrameHTML, 'utf8').toString('base64');
document.body.appendChild(iframe);
// In cleanup, make sure you document.body.removeChild(iframe); |
|
I think testing for this would probably be pretty brittle. I'm satisfied with just pushing out the fix and relying on code review to ensure that |
|
Released as 5.0.7 |
Fixes: #166
ArrayBuffers from another context (i.e. an iframe) do not pass the
instanceofcheck but they should be treated as valid.