#9809 closed Bug (expired)
Using CKEditor inside an IFRAME leads to security exception
| Reported by: | Alex Lee | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | Core : Editable | Version: | |
| Keywords: | HasPatch | Cc: | aramasarma@… |
Description
When using CKEditor inside an iframe, the getParent() method in CKEDITOR.dom.node fails with a security exception when trying to find the parent of the topmost element (the IFRAME).
Steps to reproduce:
- Create an instance of CKEditor in an iframe document
- Press enter while editing
Attachments (3)
Change History (12)
Changed 11 years ago by
| Attachment: | dom_node.patch added |
|---|
comment:1 Changed 11 years ago by
| Status: | new → pending |
|---|---|
| Version: | 4.0.1 |
@Aintaer it is possible that your code violates e.g. cross domain restriction or some other security rule.
Could you first provide sample page that shows what exactly is causing error? I'm talking about HTML page that can be put e.g. in samples folder and will show this error.
comment:2 Changed 11 years ago by
| Resolution: | → expired |
|---|---|
| Status: | pending → closed |
comment:3 Changed 10 years ago by
| Cc: | aramasarma@… added |
|---|
I am facing the exact same issue where my application which uses the skeditor is being used inside an iframe. There is an exception ( Permission denied ) throwing up when it tries to find the parent of the topmost iframe element.
The above fix suggested seems to work in the getParent method in node.js to prevent the exception from occuring. This method is being called from core/dom/element.js ->
while ( ( parent = parent.getParent() ) );
Please reopen this bug and let me know if any further details are needed from my end.
comment:4 Changed 10 years ago by
@aramasarma please provide reduced sample that allows reproducing this problem in default CKEditor. I'm talking about something that can be put in samples folder and will show this issue.
comment:5 Changed 10 years ago by
I am also getting these security errors.
I get that the browser is rightfully blocking cross frame requests without matching domains, but I'm unclear as to why CKeditor needs to access the parent frame? Is it trying to manage multiple instances across frames?
To repro, it seems you just need to try to load a page (that has CK on it) in an iframe on another page (any) - where the domains or IP's are different. For example, load the demo page (http://ckeditor.com/demo) in an iframe from anywhere.
Would be great if the methods that can reach up out of the frame were wrapped in try/catches.
(Safari:)
Blocked a frame with origin "http://app.pagecloud.ca" from accessing a frame with origin "http://69.195.124.240". Protocols, domains, and ports must match. [Error] Blocked a frame with origin "http://app.pagecloud.ca" from accessing a frame with origin "http://69.195.124.240". Protocols, domains, and ports must match.
getFrame (ckeditor.js, line 65) k (ckeditor.js, line 755) (anonymous function) (ckeditor.js, line 784) h (ckeditor.js, line 10) (anonymous function) (ckeditor.js, line 12) fire (ckeditor.js, line 13) (anonymous function) (ckeditor.js, line 311) h (ckeditor.js, line 10) (anonymous function) (ckeditor.js, line 12) fire (ckeditor.js, line 13) fireOnce (ckeditor.js, line 12) fireOnce (ckeditor.js, line 13) (anonymous function) (ckeditor.js, line 239) m (ckeditor.js, line 219) load (ckeditor.js, line 219) (anonymous function) (ckeditor.js, line 238) (anonymous function) (ckeditor.js, line 226) (anonymous function) (ckeditor.js, line 224) m (ckeditor.js, line 219) load (ckeditor.js, line 219) load (ckeditor.js, line 224) g (ckeditor.js, line 225) (anonymous function) (ckeditor.js, line 226) m (ckeditor.js, line 237) (anonymous function) (ckeditor.js, line 236) getStylesSet (ckeditor.js, line 442) i (ckeditor.js, line 236) (anonymous function) (ckeditor.js, line 236) c (ckeditor.js, line 218) m (ckeditor.js, line 219) p (ckeditor.js, line 219) s (ckeditor.js, line 219) (anonymous function) (ckeditor.js, line 220)
and Chrome:
Uncaught SecurityError: Failed to read the 'frame' property from 'Window': Blocked a frame with origin "http://app.pagecloud.ca" from accessing a frame with origin "http://69.195.124.240". Protocols, domains, and ports must match. CKEDITOR.tools.extend.getFrame ckeditor.js:65 k ckeditor.js:755 (anonymous function) ckeditor.js:784 h ckeditor.js:10 CKEDITOR.event.CKEDITOR.event.fire ckeditor.js:12 CKEDITOR.editor.CKEDITOR.editor.fire ckeditor.js:13 (anonymous function) ckeditor.js:311 h ckeditor.js:10 CKEDITOR.event.CKEDITOR.event.fire ckeditor.js:12 CKEDITOR.editor.CKEDITOR.editor.fire ckeditor.js:13 CKEDITOR.event.CKEDITOR.event.fireOnce ckeditor.js:12 CKEDITOR.editor.CKEDITOR.editor.fireOnce ckeditor.js:13 (anonymous function) ckeditor.js:239 m ckeditor.js:219 CKEDITOR.scriptLoader.load ckeditor.js:219 (anonymous function) ckeditor.js:238 (anonymous function) ckeditor.js:226 (anonymous function) ckeditor.js:224 m ckeditor.js:219 CKEDITOR.scriptLoader.load ckeditor.js:219 CKEDITOR.resourceManager.load ckeditor.js:224 g ckeditor.js:225 (anonymous function) ckeditor.js:226 m ckeditor.js:237 (anonymous function) ckeditor.js:236 CKEDITOR.tools.extend.getStylesSet ckeditor.js:442 i ckeditor.js:236 (anonymous function) ckeditor.js:236 c ckeditor.js:218 m ckeditor.js:219 p ckeditor.js:219 s ckeditor.js:219 (anonymous function)
comment:6 Changed 10 years ago by
Thanks for info. Could you attach your build config or ckeditor.js file, so we can check what's in these lines? Or even better - could you try to reproduce it on development version https://github.com/ckeditor/ckeditor-dev or package downloaded from http://ckeditor.com/download but with the "big and slow" option checked?
comment:7 Changed 10 years ago by
You bet - just attached both those files. If you hit: http://69.195.124.240/~blogpage/ you can see it happening, using the CK demo page, in an iframe.
That is a WP install, with an iframe in the post body, referencing the CK demo page. You'll notice the CK instance seems to work - but in the console you'll see the security errors. So, trouble is, if your code waits for certain events (say, editor load, or something), and one of those exceptions occurs, then the flow of the outer app may be interrupted, even though CK continued to execute. Better to wrap the methods that could try to reach out of the frame that the CK is in, in try/catch, so that code execution doesn't drop the currently executing event handler and therefor skip and code after the exception, thus breaking and wrapping code. Does that make sense?
comment:8 follow-up: 9 Changed 10 years ago by
Thanks for all the details, but... I can't reproduce it :| I opened the page and I can't see any errors. I checked Chrome and Firefox. I start to think that it may be some OS/browser addon. Though, you reproduced it on two browsers. Do you have any ideas? Can you reproduce it on other machine too?
comment:9 Changed 10 years ago by
Hmm, ok I will go plugin-hunting... Disabling to see if it clears up. Leave it with me for a bit. Thx!
Try/catch block to stop parent lookup