New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 677733 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
hdodda@chromium.org
dmu...@chromium.org
pwnall@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

sessionStorage does not work in opaque origins

Reported by krass...@gmail.com, Jan 1 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0

Steps to reproduce the problem:
1. Create a site with an iframe with sandbox-attribute that has no allow-same-origin value that
2. The content of the sandboxed iframe calls window.sessionStorage

What is the expected behavior?
Since the W3C-spec ( https://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element ) disallows access to localStorage but still allows accessing the sessionStorage, I would expect the gain access to some kind of sessionStorage. Since the content of the iframe has a unique origin, I would expect that sessionStorage to be unique as well, so it exists only within that iframe.

What went wrong?
The JS throws a security exception. This is due to the discussion here: https://bugs.webkit.org/show_bug.cgi?id=38151

But I really think that this behavious is wrong. Maybe it was just a workaround, because back then the sessionStorage was not unique. But it causes other problems. Using the JS-API in a correct way should not cause exceptions that destroy the whole page.

Did this work before? No 

Chrome version: 55  Channel: stable
OS Version: OS X 10.12
Flash Version: Shockwave Flash 24.0 r0

Comment 1 by junov@chromium.org, Jan 2 2017

Components: -Blink Blink>HTML>IFrame

Comment 2 by hdodda@chromium.org, Jan 3 2017

Cc: hdodda@chromium.org
Labels: Needs-Feedback
@krassmus-- Could you please provide us the sample test case to reproduce the issue , that would help us in triaging the issue better.

Thanks!
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 10 2017

Labels: -Needs-Feedback Needs-Review
Owner: hdodda@chromium.org
Thank you for providing more feedback. Adding requester "hdodda@chromium.org" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by tkent@chromium.org, Jan 13 2017

Components: -Blink>HTML>IFrame Blink>Storage>DOMStorage Blink>SecurityFeature

Comment 6 by mek@chromium.org, Jan 17 2017

Labels: -Needs-Review -OS-Mac Hotlist-Interop OS-All
Owner: ----
Status: Available (was: Unconfirmed)
Summary: sessionStorage does not work in opaque origins (was: sessionStorage in sandboxed iframes)
I thought there was a bug for this already, but yeah, the current session storage implementation incorrectly does not work in unique/opaque origins (such as sandboxed iframes).

Comment 7 by jsb...@chromium.org, Oct 11 2017

Owner: dmu...@chromium.org

Comment 8 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 9 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Comment 10 by benhenry@chromium.org, Aug 1

Status: Assigned (was: Available)

Comment 11 by dmu...@chromium.org, Jan 2

Cc: dmu...@chromium.org
Owner: ----
Status: Available (was: Assigned)

Comment 12 by dmu...@chromium.org, Jan 2

Cc: pwnall@chromium.org
+pwnall for your radar

Sign in to add a comment