333972 – Installed BrowserFunctions are available to remote content loaded in iFrames.

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 333972 - Installed BrowserFunctions are available to remote content loaded in iFrames.

Summary: Installed BrowserFunctions are available to remote content loaded in iFrames.

Status:	RESOLVED FIXED

Alias:	None

Product:	Platform
Classification:	Eclipse Project
Component:	SWT (show other bugs)
Version:	4.1
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	3.8 M6
Assignee:	Grant Gayed
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-01-11 08:41 EST by Matthew Hatem
Modified:	2012-03-09 12:01 EST (History)
CC List:	9 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthew Hatem

2011-01-11 08:41:57 EST

Build Identifier: 

When a BrowserFunction is installed on a page, it is also made available to remote content loaded in Frames and iFrames.  From looking at the code this behavior was intended.  

This behavior is differs between platforms.  For IE and Safari browsers, iFrames do not have access to the installed BrowserFunction but they do have access to the "window.external.callJava" function.  For Mozilla browsers, iFrames have access to the installed BrowserFunctions and the "window.external.callJava" function. 

We have use cases where we need to restrict access to the installed BrowserFunction and "window.external.callJava".  We think there are two things that need to be done.

1) Enhancement to the BrowserFunction/Browser API to allow scoping the installed BrowserFunctions to specific window/frame/iframes.

2) Secure access to the "window.external.callJava" function.


Reproducible: Always

Steps to Reproduce:
Steps to reproduce
1. Start with the Browser widget snippet
2. Change the HTML to include an iFrame with remote content
3. Add script to the remote content that attempts to access the installed BrowserFunction

Bug: If the browser is SWT.MOZILLA the remote script will successfully access the installed BrowserFunction

Comment 1 B. Chen

2011-03-31 14:47:04 EDT

(In reply to comment #0)

> 
> This behavior is differs between platforms.  For IE and Safari browsers,
> iFrames do not have access to the installed BrowserFunction but they do have
> access to the "window.external.callJava" function.  For Mozilla browsers,
> iFrames have access to the installed BrowserFunctions and the
> "window.external.callJava" function. 
> 

Since Mozilla browsers 1.9.2, frames/iframes have access to the installed BrowserFunctions, however frames/iframes with remote content does not have access to the BrowserFunction.

Comment 2 Grant Gayed

2011-04-27 11:14:38 EDT

I've logged bug 343979 to deal specifically with the issue of prohibiting arbitrary JS from accessing registered BrowserFunctions directly via window.external.callJava.  I've split this part out into a separate bug because it will be investigated for the 3.7 release, while the aspect of limiting a BrowserFunction's availability to specific frames/iframes will not.

Comment 3 Grant Gayed

2012-03-09 12:01:23 EST

Fixed > 20120309 with new constructor BrowserFunction(browser, name, top, frameNames).  Patch: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/commit/?id=65025a7edc821ab692899a998f097ee59dcca651 .