Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 333972

Summary: Installed BrowserFunctions are available to remote content loaded in iFrames.
Product: [Eclipse Project] Platform Reporter: Matthew Hatem <Matthew_Hatem>
Component: SWTAssignee: Grant Gayed <grant_gayed>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: andrewd, balfe, bokowski, cbeth, eclipse.felipe, liuj1, liujuny, Matthew_Hatem, mpcarl
Version: 4.1   
Target Milestone: 3.8 M6   
Hardware: All   
OS: All   
Whiteboard:

Description Matthew Hatem CLA 2011-01-11 08:41:57 EST 
Build Identifier: 

When a BrowserFunction is installed on a page, it is also made available to remote content loaded in Frames and iFrames.  From looking at the code this behavior was intended.  

This behavior is differs between platforms.  For IE and Safari browsers, iFrames do not have access to the installed BrowserFunction but they do have access to the "window.external.callJava" function.  For Mozilla browsers, iFrames have access to the installed BrowserFunctions and the "window.external.callJava" function. 

We have use cases where we need to restrict access to the installed BrowserFunction and "window.external.callJava".  We think there are two things that need to be done.

1) Enhancement to the BrowserFunction/Browser API to allow scoping the installed BrowserFunctions to specific window/frame/iframes.

2) Secure access to the "window.external.callJava" function.


Reproducible: Always

Steps to Reproduce:
Steps to reproduce
1. Start with the Browser widget snippet
2. Change the HTML to include an iFrame with remote content
3. Add script to the remote content that attempts to access the installed BrowserFunction

Bug: If the browser is SWT.MOZILLA the remote script will successfully access the installed BrowserFunction
Comment 1 B. Chen CLA 2011-03-31 14:47:04 EDT 
(In reply to comment #0)

> 
> This behavior is differs between platforms.  For IE and Safari browsers,
> iFrames do not have access to the installed BrowserFunction but they do have
> access to the "window.external.callJava" function.  For Mozilla browsers,
> iFrames have access to the installed BrowserFunctions and the
> "window.external.callJava" function. 
> 

Since Mozilla browsers 1.9.2, frames/iframes have access to the installed BrowserFunctions, however frames/iframes with remote content does not have access to the BrowserFunction.
Comment 2 Grant Gayed CLA 2011-04-27 11:14:38 EDT 
I've logged bug 343979 to deal specifically with the issue of prohibiting arbitrary JS from accessing registered BrowserFunctions directly via window.external.callJava.  I've split this part out into a separate bug because it will be investigated for the 3.7 release, while the aspect of limiting a BrowserFunction's availability to specific frames/iframes will not.
Comment 3 Grant Gayed CLA 2012-03-09 12:01:23 EST 
Fixed > 20120309 with new constructor BrowserFunction(browser, name, top, frameNames).  Patch: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/?id=65025a7edc821ab692899a998f097ee59dcca651 .