Opened 9 years ago

Closed 9 years ago

#12767 closed Bug (duplicate)

this.win.getFrame() cross domain security exception (lineutils plugin)

Reported by: Steven Owned by:
Priority: Normal Milestone:
Component: General Version: 4.3 Beta
Keywords: Cc:

Description

Situation:

Create a custom build with CKbuilder that includes plugin 'lineutils' OR just download a package and include the lineutils plugin via config (there might be other plugins creating this error as well). Lineutils is a plugin required by many other plugins.

domain1.com/index.html initiate CKeditor (I used inline but same problem should happen with normal editor as well I think)

domain2.com Create iframe to load domain1.com/index.html

This will create uncaught security exception: 

Uncaught SecurityError: Failed to read the 'frame' property from 'Window': Blocked a frame with origin "domain1" from accessing a frame with origin "domain2". Protocols, domains, and ports must match.

CKEDITOR.tools.extend.getFrameckeditor.js:951 kckeditor.js:980 (anonymous function)ckeditor.js:10 ickeditor.js:12

CKEDITOR.event.CKEDITOR.event.fireckeditor.js:13

CKEDITOR.editor.CKEDITOR.editor.fireckeditor.js:314 (anonymous function)ckeditor.js:10 ickeditor.js:12

CKEDITOR.event.CKEDITOR.event.fireckeditor.js:13

CKEDITOR.editor.CKEDITOR.editor.fireckeditor.js:12

CKEDITOR.event.CKEDITOR.event.fireOnceckeditor.js:13

CKEDITOR.editor.CKEDITOR.editor.fireOnceckeditor.js:241 (anonymous function)ckeditor.js:221 mckeditor.js:221

CKEDITOR.scriptLoader.loadckeditor.js:240 (anonymous function)ckeditor.js:228 (anonymous function)ckeditor.js:226 (anonymous function)ckeditor.js:221 mckeditor.js:221

CKEDITOR.scriptLoader.loadckeditor.js:226

CKEDITOR.resourceManager.loadckeditor.js:227 hckeditor.js:228 (anonymous function)ckeditor.js:239 mckeditor.js:238 (anonymous function)ckeditor.js:445 (anonymous function)ckeditor.js:226 (anonymous function)ckeditor.js:221 mckeditor.js:221 tckeditor.js:221 sckeditor.js:222 (anonymous function)

This is the function inside lineutils plugin that causes the problem: 

    function Finder( editor, def ) {
        CKEDITOR.tools.extend( this, {
            editor: editor,
            editable: editor.editable(),
            doc: editor.document,
            win: editor.window
        }, def, true );

        this.frame = this.win.getFrame();
        this.inline = this.editable.isInline();
        this.target = this[ this.inline ? 'editable' : 'doc' ];
    }

This traces back to line 65 in ckeditor.js (minified version)

A solution I now quickly implemented is: 

	function Finder( editor, def ) {
		CKEDITOR.tools.extend( this, {
			editor: editor,
			editable: editor.editable(),
			doc: editor.document,
			win: editor.window
		}, def, true );

		var a = false;
		try{
			a = this.win.getFrame();
		}catch(e){/*console.log('getframe error:');console.log(editor);console.log(def);*/}
		
		this.frame = a;
		this.inline = this.editable.isInline();
		this.target = this[ this.inline ? 'editable' : 'doc' ];
	}

I have no idea how viable this solution is, it removed the error however I'm not completely sure how/what/where the 'this.frame' is used.

Attachments (2)

__testcke.html (750 bytes) - added by Jakub Ś 9 years ago.
__index.html (277 bytes) - added by Jakub Ś 9 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 Changed 9 years ago by Vitaliy

Opened a PR for this issue

https://github.com/ckeditor/ckeditor-dev/pull/153

comment:2 Changed 9 years ago by Jakub Ś

Keywords: security frame cross browser exception lineutils removed

Changed 9 years ago by Jakub Ś

Attachment: __testcke.html added

Changed 9 years ago by Jakub Ś

Attachment: __index.html added

comment:3 Changed 9 years ago by Jakub Ś

Status: newpending

I have tried latest CKEditor 4.4.7 and didn't get any security exceptions.

I'm also attaching files I have used. My domains were example.com and otherexample.com so they are different domains yet everything worked as expected with latest version of CKEditor and lineutils. Have I missed anything?

comment:4 in reply to:  3 Changed 9 years ago by Steven

Replying to j.swiderski:

I have tried latest CKEditor 4.4.7 and didn't get any security exceptions.

I'm also attaching files I have used. My domains were example.com and otherexample.com so they are different domains yet everything worked as expected with latest version of CKEditor and lineutils. Have I missed anything?

Hey,

Yeah they've updated the code since I opened this ticket the new code they have in lineutils is: 

	function Finder( editor, def ) {
		CKEDITOR.tools.extend( this, {
			editor: editor,
			editable: editor.editable(),
			doc: editor.document,
			win: editor.window
		}, def, true );

		this.inline = this.editable.isInline();
		if ( !this.inline )
			this.frame = this.win.getFrame();
		this.target = this[ this.inline ? 'editable' : 'doc' ];
	}

I have not tested as I'm still working with my edit but if you tested on 2 domains with the files you uploaded and it works it seems the bug can be marked as solved :)

comment:5 Changed 9 years ago by Piotrek Koszuliński

Resolution: duplicate
Status: pendingclosed
Version: 4.4.64.3 Beta

This issue is a DUP of #12812 and was fixed by PR#153.

Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy