Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 330361

Summary: [Browser] cross-domain-scripting is not handled
Product: [RT] RAP Reporter: Tim Buschtoens <tbuschto>
Component: RWTAssignee: Project Inbox <rap-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: tbuschto
Version: 1.4   
Target Milestone: 1.4 M5   
Hardware: All   
OS: All   
Whiteboard:
Bug Depends on:    
Bug Blocks: 330806    

Description Tim Buschtoens CLA 2010-11-16 09:49:56 EST 
It is not (and should not be) possible to use browser-functions or execute scripts in a browser-widget if the loaded page is from another domain. However, this is currently neither documented, nor handled in any way.
Comment 1 Tim Buschtoens CLA 2011-01-12 06:28:35 EST 
In case of BrowserFunctions and Execute we will create a javascript error on the client that gets processed like any other js-error, thereby killing the session. In case of evaluate we will throw a catchable error on the server.
Comment 2 Tim Buschtoens CLA 2011-01-19 06:16:08 EST 
To remain symmetrical we agreed to also throw a js-error on evaluate.
Comment 3 Tim Buschtoens CLA 2011-01-20 08:41:39 EST 
Fixed in CVS HEAD.

Note that there is a scenario where creating BrowserFunctions fails silently:
Creating a page with browserFunctions, then naviagte (via link) from this page to another outside the domain. The same might happen when navigating back again: No BrowserFunction will be created in the new page. In all other scenarios, the BrowserFunction should either be created or completely crash the js-application if no access is possible. This is accepted for now.