Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#9809 closed Bug (expired)

Using CKEditor inside an IFRAME leads to security exception

Reported by: Alex Lee Owned by:
Priority: Normal Milestone:
Component: Core : Editable Version:
Keywords: HasPatch Cc: aramasarma@…

Description

When using CKEditor inside an iframe, the getParent() method in CKEDITOR.dom.node fails with a security exception when trying to find the parent of the topmost element (the IFRAME).

Steps to reproduce:

  1. Create an instance of CKEditor in an iframe document
  2. Press enter while editing

Attachments (3)

dom_node.patch (641 bytes) - added by Alex Lee 6 years ago.
Try/catch block to stop parent lookup
build-config.js (2.6 KB) - added by Christa Fitzpatrick 5 years ago.
build-config.js
ckeditor.js (563.3 KB) - added by Christa Fitzpatrick 5 years ago.
ckeditor.js

Download all attachments as: .zip

Change History (12)

Changed 6 years ago by Alex Lee

Attachment: dom_node.patch added

Try/catch block to stop parent lookup

comment:1 Changed 6 years ago by Jakub Ś

Status: newpending
Version: 4.0.1

@Aintaer it is possible that your code violates e.g. cross domain restriction or some other security rule.

Could you first provide sample page that shows what exactly is causing error? I'm talking about HTML page that can be put e.g. in samples folder and will show this error.

comment:2 Changed 6 years ago by Piotrek Koszuliński

Resolution: expired
Status: pendingclosed

comment:3 Changed 5 years ago by Arvind Ramasarma

Cc: aramasarma@… added

I am facing the exact same issue where my application which uses the skeditor is being used inside an iframe. There is an exception ( Permission denied ) throwing up when it tries to find the parent of the topmost iframe element.

The above fix suggested seems to work in the getParent method in node.js to prevent the exception from occuring. This method is being called from core/dom/element.js ->

while ( ( parent = parent.getParent() ) );

Please reopen this bug and let me know if any further details are needed from my end.

comment:4 Changed 5 years ago by Jakub Ś

@aramasarma please provide reduced sample that allows reproducing this problem in default CKEditor. I'm talking about something that can be put in samples folder and will show this issue.

comment:5 Changed 5 years ago by Christa Fitzpatrick

I am also getting these security errors.

I get that the browser is rightfully blocking cross frame requests without matching domains, but I'm unclear as to why CKeditor needs to access the parent frame? Is it trying to manage multiple instances across frames?

To repro, it seems you just need to try to load a page (that has CK on it) in an iframe on another page (any) - where the domains or IP's are different. For example, load the demo page (http://ckeditor.com/demo) in an iframe from anywhere.

Would be great if the methods that can reach up out of the frame were wrapped in try/catches.

(Safari:)

Blocked a frame with origin "http://app.pagecloud.ca" from accessing a frame with origin "http://69.195.124.240". Protocols, domains, and ports must match. [Error] Blocked a frame with origin "http://app.pagecloud.ca" from accessing a frame with origin "http://69.195.124.240". Protocols, domains, and ports must match.

	getFrame (ckeditor.js, line 65)
	k (ckeditor.js, line 755)
	(anonymous function) (ckeditor.js, line 784)
	h (ckeditor.js, line 10)
	(anonymous function) (ckeditor.js, line 12)
	fire (ckeditor.js, line 13)
	(anonymous function) (ckeditor.js, line 311)
	h (ckeditor.js, line 10)
	(anonymous function) (ckeditor.js, line 12)
	fire (ckeditor.js, line 13)
	fireOnce (ckeditor.js, line 12)
	fireOnce (ckeditor.js, line 13)
	(anonymous function) (ckeditor.js, line 239)
	m (ckeditor.js, line 219)
	load (ckeditor.js, line 219)
	(anonymous function) (ckeditor.js, line 238)
	(anonymous function) (ckeditor.js, line 226)
	(anonymous function) (ckeditor.js, line 224)
	m (ckeditor.js, line 219)
	load (ckeditor.js, line 219)
	load (ckeditor.js, line 224)
	g (ckeditor.js, line 225)
	(anonymous function) (ckeditor.js, line 226)
	m (ckeditor.js, line 237)
	(anonymous function) (ckeditor.js, line 236)
	getStylesSet (ckeditor.js, line 442)
	i (ckeditor.js, line 236)
	(anonymous function) (ckeditor.js, line 236)
	c (ckeditor.js, line 218)
	m (ckeditor.js, line 219)
	p (ckeditor.js, line 219)
	s (ckeditor.js, line 219)
	(anonymous function) (ckeditor.js, line 220)

and Chrome:

Uncaught SecurityError: Failed to read the 'frame' property from 'Window': Blocked a frame with origin "http://app.pagecloud.ca" from accessing a frame with origin "http://69.195.124.240". Protocols, domains, and ports must match. 
CKEDITOR.tools.extend.getFrame ckeditor.js:65
k ckeditor.js:755
(anonymous function) ckeditor.js:784
h ckeditor.js:10
CKEDITOR.event.CKEDITOR.event.fire ckeditor.js:12
CKEDITOR.editor.CKEDITOR.editor.fire ckeditor.js:13
(anonymous function) ckeditor.js:311
h ckeditor.js:10
CKEDITOR.event.CKEDITOR.event.fire ckeditor.js:12
CKEDITOR.editor.CKEDITOR.editor.fire ckeditor.js:13
CKEDITOR.event.CKEDITOR.event.fireOnce ckeditor.js:12
CKEDITOR.editor.CKEDITOR.editor.fireOnce ckeditor.js:13
(anonymous function) ckeditor.js:239
m ckeditor.js:219
CKEDITOR.scriptLoader.load ckeditor.js:219
(anonymous function) ckeditor.js:238
(anonymous function) ckeditor.js:226
(anonymous function) ckeditor.js:224
m ckeditor.js:219
CKEDITOR.scriptLoader.load ckeditor.js:219
CKEDITOR.resourceManager.load ckeditor.js:224
g ckeditor.js:225
(anonymous function) ckeditor.js:226
m ckeditor.js:237
(anonymous function) ckeditor.js:236
CKEDITOR.tools.extend.getStylesSet ckeditor.js:442
i ckeditor.js:236
(anonymous function) ckeditor.js:236
c ckeditor.js:218
m ckeditor.js:219
p ckeditor.js:219
s ckeditor.js:219
(anonymous function)
Last edited 5 years ago by Piotrek Koszuliński (previous) (diff)

comment:6 Changed 5 years ago by Piotrek Koszuliński

Thanks for info. Could you attach your build config or ckeditor.js file, so we can check what's in these lines? Or even better - could you try to reproduce it on development version https://github.com/ckeditor/ckeditor-dev or package downloaded from http://ckeditor.com/download but with the "big and slow" option checked?

Changed 5 years ago by Christa Fitzpatrick

Attachment: build-config.js added

build-config.js

Changed 5 years ago by Christa Fitzpatrick

Attachment: ckeditor.js added

ckeditor.js

comment:7 Changed 5 years ago by Christa Fitzpatrick

You bet - just attached both those files. If you hit: http://69.195.124.240/~blogpage/ you can see it happening, using the CK demo page, in an iframe.

That is a WP install, with an iframe in the post body, referencing the CK demo page. You'll notice the CK instance seems to work - but in the console you'll see the security errors. So, trouble is, if your code waits for certain events (say, editor load, or something), and one of those exceptions occurs, then the flow of the outer app may be interrupted, even though CK continued to execute. Better to wrap the methods that could try to reach out of the frame that the CK is in, in try/catch, so that code execution doesn't drop the currently executing event handler and therefor skip and code after the exception, thus breaking and wrapping code. Does that make sense?

comment:8 Changed 5 years ago by Piotrek Koszuliński

Thanks for all the details, but... I can't reproduce it :| I opened the page and I can't see any errors. I checked Chrome and Firefox. I start to think that it may be some OS/browser addon. Though, you reproduced it on two browsers. Do you have any ideas? Can you reproduce it on other machine too?

comment:9 in reply to:  8 Changed 5 years ago by Christa Fitzpatrick

Hmm, ok I will go plugin-hunting... Disabling to see if it clears up. Leave it with me for a bit. Thx!

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy