Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#10771 closed defect (fixed)

Dijit._base and detecting focus within iframe, that loaded its source from a foreign host (IE8)

Reported by: klipstein Owned by: bill
Priority: high Milestone: 1.4.2
Component: Dijit Version: 1.4.0
Keywords: dijit contentWindow iframe ie8 Cc:
Blocked By: Blocking:

Description

There is a security problem (Access denied) within dijit/_base/manager.js, when trying to determine focusable elements within an iframe. The "Access denied" exception is thrown within IE8, if dijit/dijit.js is used on a page that also contains an iframe, that loaded its content from a foreign domain.

Attachments (5)

test_contentwindow.html (574 bytes) - added by klipstein 9 years ago.
A simple testcase for IE8
test_contentwindow.2.html (574 bytes) - added by klipstein 9 years ago.
A simple testcase for IE8
manager_patch.js (921 bytes) - added by klipstein 9 years ago.
Patch for fixing the security issue
manager_patch.2.js (921 bytes) - added by klipstein 9 years ago.
Patch for fixing the security issue
manager_patch.3.js (921 bytes) - added by klipstein 9 years ago.
Patch for fixing the security issue

Download all attachments as: .zip

Change History (11)

Changed 9 years ago by klipstein

Attachment: test_contentwindow.html added

A simple testcase for IE8

Changed 9 years ago by klipstein

Attachment: test_contentwindow.2.html added

A simple testcase for IE8

Changed 9 years ago by klipstein

Attachment: manager_patch.js added

Patch for fixing the security issue

Changed 9 years ago by klipstein

Attachment: manager_patch.2.js added

Patch for fixing the security issue

Changed 9 years ago by klipstein

Attachment: manager_patch.3.js added

Patch for fixing the security issue

comment:1 Changed 9 years ago by bill

Resolution: fixed
Status: newclosed

(In [21407]) Fix exception in focus manager when iframe points to a document from a different domain. Patch from Klipstein (CLA on file), thanks! Fixes #10771 !strict.

comment:2 Changed 9 years ago by James Burke

Milestone: tbd1.5

Assuming this is just in the main trunk, for 1.5

comment:3 Changed 9 years ago by James Burke

Bill, as this seems to be a regression vs. 1.3, as indicated in dupe #10792, is it possible to get this fix ported to the 1.4 branch? We are likely going to wait on a dojo.declare fix for 1.4.2, so we have some time to get this in for 1.4.2.

comment:4 Changed 9 years ago by bill

Sure, makes sense, I'll backport it.

comment:5 Changed 9 years ago by bill

(In [21453]) Backport cross-domain iframe exception fix to 1.4, refs #10771 !strict.

Also fixing spelling mistake in 1.4 and trunk.

comment:6 Changed 9 years ago by bill

Milestone: 1.51.4.2
Note: See TracTickets for help on using tickets.