New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 840268 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Exception not thrown when accessing iframe with a different domain

Reported by razalka...@yahoo.com, May 7 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.30 Safari/537.36

Steps to reproduce the problem:
1. navigate to a page that contains iframe with different domain. 
2. open console from devtool
3. run: document.getElementById(<DifferentDomainIframeID>).contentDocument

What is the expected behavior?
Exception will be thrown:
"Uncaught DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "null" from accessing a cross-origin frame."

What went wrong?
Getting null.

Did this work before? Yes 66

Chrome version: 67.0.3396.30  Channel: beta
OS Version: 10.0
Flash Version:
 
dima.html
85 bytes View Download
Labels: Needs-Bisect Needs-Triage-M67
Labels: Triaged-ET Needs-Feedback
Unable to reproduce this issue on reported version 67.0.3396.30 on Windows 10 using HTML given in comment#0.

1. Opened dima.html and opened devtools console.
2. Typed document.getElementById(<DifferentDomainIframeID>).contentDocument and observed error Uncaught SyntaxError: Unexpected token <
3. Searched for frame id in Elements tab, Typed document.getElementById("test").contentDocument and observed error VM732:1 Uncaught TypeError: Cannot read property 'contentDocument' of null
    at <anonymous>:1:32
4. Searched for frame id in Elements tab, Typed document.getElementById("intercom-frame").contentDocument and observed output as document.getElementById("intercom-frame").contentDocument
#document. Attaching screencast for reference.

@Reporter: Please check the screencast and let us know if we miss anything. any further information on reproducing the issue would help in further triaging.

Thanks!
840268.mp4
6.8 MB View Download
I did the same in chrome beta 67 but getting null.
Please check the attached screencast.



Settings - Google Chrome 08-May-18 12_12_10.wmv
9.0 MB Download
Project Member

Comment 4 by sheriffbot@chromium.org, May 8 2018

Cc: sindhu.chelamcherla@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by creis@chromium.org, May 8 2018

Cc: creis@chromium.org nasko@chromium.org
Components: Internals>Sandbox>SiteIsolation
Labels: OS-Chrome OS-Linux OS-Mac
Owner: dcheng@chromium.org
This is most likely due to Site Isolation.  dcheng@, did you have thoughts on how to get the exception to happen for out-of-process iframes?


Status: WontFix (was: Unconfirmed)
This is intentional and matches the behavior of Firefox and Safari. See https://wpt.fyi/html/semantics/embedded-content/the-iframe-element/document-getters-return-null-for-cross-origin.html

See  issue 582245  and https://chromium-review.googlesource.com/1006528 for more context.

Sign in to add a comment