Issue metadata
Sign in to add a comment
|
Accessing Chrome error pages raises a SecurityError
Reported by
laszlo.j...@gmail.com,
Nov 7
|
||||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Steps to reproduce the problem:
1. start Chrome with disabled web security and isolation:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-site-isolation-trials --user-data-dir="c:/chrome-temp"
2. use the following script:
const win = window.open("about:blank");
win.location.assign("totally wrong address");
//win.location.assign("https://www.google.com");
win.addEventListener("unload", function (){
requestIdleCallback(function (){
win.document; // accessing the document of the loaded page
}, {timeout: 1});
});
3. for google.com the document is accessible
4. for the "totally wrong address" the Chrome error page is not accessible, I got Uncaught DOMException: Blocked a frame with origin "file://" from accessing a cross-origin frame.
In Chrome v68 I was able to access the error page and so the code was able to send an error message about the wrong address. Since I got Chrome v70 with site isolation I cannot access the Chrome error page with the "error:" protocol, so the code does not know whether this is a configuration issue or a problem with the given address.
What is the expected behavior?
It should not raise an error.
What went wrong?
Since Chrome v70 I got a security error about cross-frame & cross-origin communication even with disabled web security and site isolation.
Did this work before? Yes v68, maybe v69
Does this work in other browsers? Yes
Chrome version: 70.0.3538.77 Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 31.0 r0
I would be happy if you could give this feature back.
,
Nov 8
,
Nov 8
laszlo.janszky@ Thanks for the issue. Tested this issue on Windows 10 on the reported version 70.0.3538.77 and the latest Canary 72.0.3604.0 by following the below steps. 1. Launched Chrome with '--disable-web-security --disable-site-isolation-trials --user-data-dir="c:/chrome-temp' from the terminal. 2. Opened the given html file and navigated to devtools->console. 3. Can observe the error 'Uncaught TypeError: Cannot read property 'location' of null at x.htm:3'. Attached is the screen cast for reference. Request you to check and confirm if anything is missed from our end in triaging the issue. Also request you to provide the scareen cast of the steps followed which will help in better understanding of the issue. Thanks..
,
Nov 9
Might be this? https://chromium-review.googlesource.com/c/chromium/src/+/1216684/ mkwst@ can you take a look?
,
Nov 9
You should reload the page after allowing popups, otherwise the child window won't be created and you won't be able to access window.location. I can send a screen cast later if this does not fix the problem. Note, that the address must have a "file://" protocol or point to a non-existing server like "http://qqqqqqqqqqqqqqqqqqqqqq.com", otherwise you will get the server's error page instead of the Chrome error page, which is accessible with these CLI flags.
,
Nov 16
Meanwhile I got an answer in the google groups. The error page is isolated too, but this --disable-site-isolation-trials flag intentionally does not turn off the isolation by that. I think I'll continue this thread here: https://bugs.chromium.org/p/chromium/issues/detail?id=327804 this issue can be closed.
,
Nov 20
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by laszlo.j...@gmail.com
, Nov 7Note: I use something like this for checking in the real code: if (this.window.document.location.protocol.indexOf("error") !== -1) return this.navigationError(new WrongAddress());