New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-origin frame error #581
Comments
Able to reproduce with the following this snapshot. Interestingly enough, using inline styles seems to work though, |
Found a temporary fix. |
It only fails when hiding with an element selector, not with any other selector. So if you have CSS like This is because of the complicated way in which jQuery's Figuring out what that default is happens in the The iframe creation step fails in the normal popcode interface (where this iframe is inside the preview iframe), but not when the preview is opened a separate tab (in that case the iframe isn't a nested iframe). The error happens because the preview iframe is sandboxed, which gives it a unique origin and disallows it from accessing any other iframes. Unfortunately this includes iframes //inside// the sandboxed iframe as well (even if they'd be treated as same-origin in absence of the sandbox), which is kind of silly. We could fix this by adding
My impression is that Popcode sandboxes the iframe to prevent it from messing things up accidentally, and isn't designed to guard against someone deliberately attacking it. On the other hand, we probably don't want people to be able to trick people into clicking on snapshot links that then do malicious things. On the other other hand, I don't know that there's many malicious things one could possibly do. |
Fantastic investigation and writeup @catrope! As it happens you correctly anticipated the reasoning behind the frame sandbox—the concern about a malicious snapshot or gist import link having access to the application runtime. The biggest practical concern would be gaining access to the user’s authed GitHub session. I have to say, I’m quite surprised that jQuery has this problem, given its ubiquity and maturity. Did you come across any open issues related to this? I guess in most cases it would be pretty easy for devs to just work around it by avoiding the exact combination of selectors that triggers it. Not so for us, though… Other than turning off sandbox (which I have to pretty much rule out), any ideas how we might work around this…? I will let it simmer as well. |
Hmm, would |
(Update: If I naïvely change |
I tried that too, but
I have a meeting in a few minutes but afterwards I'll see if this issue has already been reported against jQuery. If we don't want to change Popcode's iframe sandboxing, we'd have to change/fork jQuery's show/hide code (could be as simple as trying the |
TL;DR: Upgrading to jQuery 3 would fix this. There are a number of breaking changes in v3 though, so upgrading isn't trivial. I dug into the jQuery history and found a number of confusing things, but it looks like the iframe has been removed completely in jQuery 3. Initially they were talking about making Amusingly, I can claim a tiny bit of credit for this being fixed in jQuery 3, because one of the impetuses for rewriting (For reference: the change that first removed the iframe, people complaining, jQuery deciding to revert to the old behavior, and the change that did that without reintroducing the iframe.) |
Thanks so much for the continued detailed investigation @catrope! I’m going to look through the 3.0 breaking changes now, but my guess is that it’s fairly unlikely that there is anything that would affect the very basic usage of jQuery that our students do. Also, it’s generally a project goal to stay as up-to-date as possible with the student-facing libraries we ship with (I always forget to upgrade these when I’m upgrading actual project dependencies). Funny that this isn’t your first contact with this issue! |
Thanks again @catrope for the in-depth analysis on the bug. I wouldn't have figured it would be a jQuery issue. |
No idea what to make of this, but this project throws an uncaught error when you click the button:
Original bug report
Submitter: mekhi
this does not work in the preview:
https://gist.github.com/anonymous/8549724468c89747b455b4f7312092fd
The text was updated successfully, but these errors were encountered: