Javascript Security Restrictions on Chrome Stable Break Porthole

[heymatthew]

Overview

Tested on OS: Linux / Windows XP
Browsers affected: Chrome Stable (10.0.648.205), Mozilla Firefox 3.5.16

This works for http://sandbox.ternarylabs.com/porthole/
This doesn't work for a freshly cloned repo

Problem Description

There are several issues here, but I believe them to be related so they're all being put in here.
Issue 1) When changing the colour of the child frames, the operation succeeds, but reports errors when trying to run forwardMessageEvent.
Issue 2) When changing the colour of the parent from a child frame, the operation fails. Errors are reported relating to security policy problems.

Steps to reproduce

Issue 1) Javascript errors for operations on the parent

1. Checkout the porthole repo into the root of some webserver you control (git clone https://github.com/ternarylabs/porthole.git)
2. Navigate to the content on Google Chrome stable, e.g. http://lateralus/porthole/porthole
3. Click Color Frame1 Red

What happens?

• The window color of the first frame is changed to red
• The following is output on the console

  Porthole.WindowProxyDispatcher.findWindowProxyObjectInWindow
  Unsafe JavaScript attempt to access frame with URL http://lateralus/porthole/ from frame with URL http://demo.auberger.com/porthole/proxy.html#color=red&sourceOrigin=http%3A//lateralus&targetOrigin=*&sourceWindowName=&targetWindowName=guestFrame1. Domains, protocols and ports must match.
  Can't access object: top
  Can't access object: window
  Can't access object: location
  Can't access object: chrome
  Can't access object: external
  Can't access object: document
  Can't access object: Porthole
  

Expected:
No JS errors.

Issue 2) Javascript operations on the child

1. Assuming you've already got a checkout of the page, and have navigated to the root directory of the checked out repo, click the 'Color Parent Blue' button on Frame1.

What happens?

• No changes occur on the parent
• The following is output on the console

  Porthole.WindowProxyDispatcher.forwardMessageEvent
  Porthole.WindowProxyDispatcher.findWindowProxyObjectInWindow
  (x2) Unsafe JavaScript attempt to access frame with URL http://lateralus/porthole/ from frame with URL http://sandbox.ternarylabs.com/porthole/proxy.html#color=green&sourceOrigin=http%3A//demo.auberger.com&targetOrigin=*&sourceWindowName=guestFrame1&targetWindowName=. Domains, protocols and ports must match.
  Could not find window proxy object on the target window
  

Expected:
No JS errors. Parent frame changes colour.

[georges]

Thanks for the thorough report. I am not able to reproduce the problem described in issue #2. Keep in mind that if you're running the code locally, you need to change the domain names for where you're loading proxy and iframe from. They need to match parent and guest iframe respectively. You can't simply checkout the code and run it as is.

Regarding javascript errors, I turned off some debugging logging so that should no longer be there.

The unsafe JS error was triggered by enumerating an object that we don't have access to. I've added a fix to narrow down the search to our specific proxy class, so those exceptions no longer get triggered.