HTML: getSVGDocument() / contentDocument #20432
Conversation
wpt-pr-bot
requested review from
domenic,
foolip,
jdm,
jgraham,
zcorpan and
zqzhang
Additionally, make content document (also used by contentDocument) perform the same origin-domain comparison on the two documents involved. Tests: web-platform-tests/wpt#20432. Fixes #5094.
html/semantics/embedded-content/the-iframe-element/cross-origin-to-whom.window.js
Outdated
Show resolved
Hide resolved
html/semantics/embedded-content/the-iframe-element/support/document-with-embedded-svg.html
Outdated
Show resolved
Hide resolved
|
Reassigning to @domenic since he's reviewing whatwg/html#5109 |
|
This needs a test for the change mentioned at https://github.com/whatwg/html/pull/5109/files#r353452968. In particular we want:
Consider a.example.com which embeds frame1 = a.example.com, frame2 = a.example.com (1) should be doable with something like: Grab the getSVGDocument function from frame2. Then, change frame2's document.domain to "example.com". Now, call (2) should be doable with something like: Grab getSVGDocument from frame2. Then, change frame1 and frame2's document.domain to "example.com". Now, call |
|
The current tests already test the case where the SVG's container and the SVG are same origin and the current settings object is cross origin-domain and that doesn't appear to affect things one bit. (I'm actually wondering how the current tests are not running into "perform a security check" now. Maybe nobody performs that for non- |
These days all implementations only have security checks on a couple of objects. Firefox used to have cross-origin object wrapper, but those are no longer web observable. Tests: html/browsers/origin/cross-origin-objects/cross-origin-objects.html and web-platform-tests/wpt#20432.
These days all implementations only have security checks on a couple of objects. Firefox used to have cross-origin object wrapper, but those are no longer web observable. Tests: html/browsers/origin/cross-origin-objects/cross-origin-objects.html and web-platform-tests/wpt#20432.
|
Added that other test, results are as expected. Current settings object is not involved. |
…e origin-domain with the embedder document, but both cross origin-domain with the SVG
| possibleDocument = instance[api](); | ||
| } else { | ||
| possibleDocument = instance[api]; | ||
| } |
There was a problem hiding this comment.
Nit: this could be simpler as
const possibleDocument = api === "getSVGDocument" ? instance[api]() : instance[api];| } | ||
| frame.onload = t.step_func_done(() => { | ||
| const instances = Object.keys(elements).map(element => frame.contentDocument.querySelector(element)); | ||
| instances.forEach(instance => assert_apis(instance)); |
There was a problem hiding this comment.
Suggest adding a comment like "Everything is same-origin-domain; this should definitely work"
| instances.forEach(instance => assert_apis(instance)); | ||
| document.domain = document.domain; | ||
| assert_equals(frame.contentDocument, null); | ||
| instances.forEach(instance => assert_apis(instance)); |
There was a problem hiding this comment.
Suggest adding a comment like "Current settings object is now cross-origin domain, but container node document and nested BC node document are still same-origin domain, so all the APIs should still work".
| } | ||
| frame.onload = t.step_func_done(() => { | ||
| const instances = Object.keys(elements).map(element => frame.contentDocument.querySelector(element)); | ||
| instances.forEach(instance => assert_apis(instance)); |
There was a problem hiding this comment.
Siggest adding a comment like "Everything is same-origin domain; this should definitely work"
| const svgDocument = element_to_document(instance); | ||
| svgDocument.domain = svgDocument.domain; | ||
| }); | ||
| instances.forEach(instance => assert_apis(instance, true)); |
There was a problem hiding this comment.
Suggest adding a comment like "nested BC node document is now cross-origin domain with container BC's active document and current settings object, so we expect the APIs to start returning null"
| instances.forEach(instance => assert_apis(instance, true)); | ||
| document.domain = document.domain; | ||
| assert_equals(frame.contentDocument, null); | ||
| instances.forEach(instance => assert_apis(instance, true)); |
There was a problem hiding this comment.
Suggest adding a comment like "nested BC node document is now same-origin domain with the current settings object, but still cross-origin domain with the container BC's node document, so the APIs should still return null"
| let attr = "src"; | ||
| if (name === "object") { | ||
| attr = "data"; | ||
| } |
There was a problem hiding this comment.
Nit: this could be simpler as
const attr = name === "object" ? "data" : "src";| } else { | ||
| possibleDocument = instance[api]; | ||
| } | ||
| assert_not_equals(possibleDocument, null, `${name}[${api}]`); |
There was a problem hiding this comment.
Nit:
| assert_not_equals(possibleDocument, null, `${name}[${api}]`); | |
| assert_not_equals(possibleDocument, null, `${name}.${api}`); |
(here and in the other file)
Additionally, make content document (also used by contentDocument) perform the same origin-domain comparison on the two documents involved rather than involve the current settings object. Tests: web-platform-tests/wpt#20432. Fixes #5094.
For whatwg/html#5094.