Bug Tracker

Ticket #8018 (closed bug: fixed)

Opened 4 years ago

Last modified 2 years ago

Unsafe access to frameElement causes error in crossdomain (i)frames

Reported by: SlexAxton Owned by: SlexAxton
Priority: blocker Milestone: 1.6
Component: event Version: 1.4.4
Keywords: frameElement, cross-domain Cc:
Blocking: Blocked by:

Description

We have 2 references to the frameElement property on an element in the jQuery source. The first is wrapped in a try/catch because if the frame is on a different domain, an access restricted exception occurs.

In bindReady:

try {
  toplevel = window.frameElement == null;
} catch(e) {}

In jQuery.event (the unsafe one):

// For whatever reason, IE has trouble passing the window object
// around, causing it to be cloned in the process
if ( jQuery.isWindow( elem ) && ( elem !== window && !elem.frameElement ) ) {
  elem = window;
 }

I'll attach a patch that avoids the frameWindow access altogether in this case, or we could consider just wrapping a try/catch. I think this solution is better though.

It so happens that while this fails"

  elem === window

This does not (so we can avoid the access):

  elem == window

More details from Shawn Smith (who found the fix) here:

 https://github.com/shawnsmith/jquery/commit/a5cf1291a1f6903fbe8a39b384080d872a30b460

Change History

comment:1 Changed 4 years ago by SlexAxton

  • Owner set to SlexAxton
  • Status changed from new to assigned

As promised, here is the pull request:  https://github.com/jquery/jquery/pull/193

comment:2 Changed 4 years ago by SlexAxton

  • Keywords frameElement, cross-domain added
  • Priority changed from undecided to low
  • Component changed from unfiled to event
  • Milestone changed from 1.next to 1.5

comment:3 Changed 4 years ago by jitter

  • Milestone set to 1.5.1

comment:4 Changed 4 years ago by SlexAxton

Another potential fix:

 https://github.com/jquery/jquery/pull/232

The first pull request says "Yes, we work on other frames and windows' window objects"

and this pull request says "We only work on the original window object"

comment:5 Changed 4 years ago by snover

  • Priority changed from low to blocker
  • Milestone changed from 1.5.1 to 1.6

workaround committed in [752db8fffeffa796f5cdb5553331436c0a4cc44e]; retargeting permanent fix as 1.6 blocker

comment:6 Changed 3 years ago by john

  • Status changed from assigned to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.