Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
bindHandlers broken when in cross-origin iframe within file: page #124
This possibly applies to other non-http(s): schemes as well (applewebdata:?) but I haven't confirmed. I've reproduced on the latest Chrome and Firefox.
The top page is an html document loaded from local disk (file://.../mypage.html). This page creates a cross-origin iframe on some remote server (https://www.mydomain.com/iframe.html). The following code inside both bindHandlers methods is broken in this case:
It's trying to use the anchor tag to detect if it's in a cross-origin iframe or not*, to determine whether accessing the parent document is safe. However, in this case,
FWIW, my preferred method for testing cross-origin-ness is just to try to access what I want inside a try-catch. But if that's not preferred, I guess you want to check that document.referrer isn't the empty string here. I'm not totally sure that's sufficient (the try-catch is the most rigorous technique), as a.host would resolve to the current iframe's host for any .href value that didn't start with an actual scheme. However, I don't know if document.referrer is ever going to do that outside of this scenario, so maybe you're ok.
* It's also worth noting that the host equality check isn't actually sufficient to determine cross-iframe access. You have to match the entire origin (including protocol and port). You could use
** For any