Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 330361 - [Browser] cross-domain-scripting is not handled
Summary: [Browser] cross-domain-scripting is not handled
Status: RESOLVED FIXED
Alias: None
Product: RAP
Classification: RT
Component: RWT (show other bugs)
Version: 1.4   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: 1.4 M5   Edit
Assignee: Project Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 330806
  Show dependency tree
 
Reported: 2010-11-16 09:49 EST by Tim Buschtoens CLA
Modified: 2011-01-20 08:41 EST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Buschtoens CLA 2010-11-16 09:49:56 EST 
It is not (and should not be) possible to use browser-functions or execute scripts in a browser-widget if the loaded page is from another domain. However, this is currently neither documented, nor handled in any way.
Comment 1 Tim Buschtoens CLA 2011-01-12 06:28:35 EST 
In case of BrowserFunctions and Execute we will create a javascript error on the client that gets processed like any other js-error, thereby killing the session. In case of evaluate we will throw a catchable error on the server.
Comment 2 Tim Buschtoens CLA 2011-01-19 06:16:08 EST 
To remain symmetrical we agreed to also throw a js-error on evaluate.
Comment 3 Tim Buschtoens CLA 2011-01-20 08:41:39 EST 
Fixed in CVS HEAD.

Note that there is a scenario where creating BrowserFunctions fails silently:
Creating a page with browserFunctions, then naviagte (via link) from this page to another outside the domain. The same might happen when navigating back again: No BrowserFunction will be created in the new page. In all other scenarios, the BrowserFunction should either be created or completely crash the js-application if no access is possible. This is accepted for now.