public
Last active

Webkit uncatchable security error when attempting to access property of the window object across origins.

  • Download Gist
_readme.md
Markdown

On WebKit (can reproduce in both latest Chrome and Safari), a security error is displayed in the console when attempting to access the property of the window object hosted on a different origin:

Unsafe JavaScript attempt to access frame with URL http://localhost:8000/main.html from frame with URL http://localhost:8001/iframe.html. Domains, protocols and ports must match.

It seems this error isn't thrown as it is not catchable (see try...catch block in the example) and doesn't affect the program flow (statements below it still get executed).

As there aren't ways to find out if two windows share the same origin, it's impossible to avoid this warning.

console_output.txt
1 2 3 4
Unsafe JavaScript attempt to access frame with URL
http://localhost:8000/main.html from frame with URL
http://localhost:8001/iframe.html. Domains, protocols
and ports must match.
iframe.html
HTML
1 2 3 4 5 6 7 8 9 10 11 12 13
<!DOCTYPE HTML>
<html>
<head>
<title>child</title>
</head>
<body>
<script>
try {
window.parent.foo;
} catch(e) {}
</script>
</body>
</html>
main.html
HTML
1 2 3 4 5 6 7 8 9
<!DOCTYPE HTML>
<html>
<head>
<title>parent</title>
</head>
<body>
<iframe src="http://localhost:8001/iframe.html"></iframe>
</body>
</html>

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.