-1

I recently developed a Firefox extension which allows me to automate some actions on several websites (mainly retrieving data).

The extension works well so I'm currently developing a Chrome version of the extension.

There are some differences between Chrome and Firefox extensions but it's mainly the same code which is running in both extensions.

Issue

Most of it works, however I'm having troubles with a specific website which works well with the Firefox extension.

On this website, I'm trying to get a table which is located into an iframe itself located into another iframe.

When accessing second iframe, I'm facing the following exception.

Uncaught SecurityError: Blocked a frame with origin "https://subdomain.domain.fr" from accessing a frame with origin "https://subdomain.domain.fr". The frame requesting access set "document.domain" to "domain.fr", but the frame being accessed did not. Both must set "document.domain" to the same value to allow access

The page is structured as follow

<iframe id="iframe_centrale" src="/[...]">
    [...]
    <iframe id="iframe" src="/[...]">
        [...]
        <table></table>
        [...]
    </iframe>
    [...]
</iframe>

And I'm trying to access the iframe as follow

var tableElement = null;
var iframe = null;
iframe = document.getElementById('iframe_centrale');
if(null != iframe)
{
    iframe = iframe.contentWindow.document.getElementById("iframe");
    if(null != iframe)
    {
        tableElement = iframe.contentWindow.document.evaluate("//table", iframe.contentDocument, null, XPathResult.FIRST_ORDERED_NODE_TYPE, null).singleNodeValue;
        if((null != tableElement)
        {
            // Read table
        }
    }
}

Issue analysis

The fired exception is usually met when trying to access a ressource located on another domain.

However in my case, both iframes are located on the same domain because the src attribute is a relative url.

The fact that the exact same code is working correctly with Firefox also confirms that I can access the second iframe.

More information

Another error I'm facing is that during the browsing process, I fill a form located into an iframe and the following exception is triggeredonce, however the form is still filled correctly.

Uncaught DOMException: Blocked a frame with origin "https://subdomain.domain.fr" from accessing a cross-origin frame.

since its in a mutation observer loop, the instruction may work the second time, it could explain why the form is filled.

After filling the form, I click a button, into an iframe, itself into an iframe. When the button is clicked I have the following exception

Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution

Once again, the click is made into a mutation observer loop so it may be triggered once, and then works, but I'm redirected to the next page so the click is working.

Investigating from Firefox

Since I can access both iframes' content from Firefox, I tried to print 'domain' and 'url' information for base document and both iframes.

#############################################################
### BASE PAGE : domain.fr / https://subdomain.domain.fr/path1
### IFRAME 1 : domain.fr / https://subdomain.domain.fr/path2
TypeError: iframe2 is null

[...]

#############################################################
### BASE PAGE : domain.fr / https://subdomain.domain.fr/path1
### IFRAME 1 : domain.fr / https://subdomain.domain.fr/path2
### IFRAME 2 : domain.fr / about:blank

[...]

#############################################################
### BASE PAGE : domain.fr / https://subdomain.domain.fr/path1
### IFRAME 1 : domain.fr / https://subdomain.domain.fr/path2
### IFRAME 2 : subdomain.domain.fr / https://subdomain.domain.fr/path3

So I think the issue is occurring because the second iframe changes its domain when the url is updated from about:blank to https://subdomain.domain.fr/path3

Questions

Why are exceptions fired with iframes located on the same domain/subdomain ?

Is there another way to access the second iframe content and act on it with Chrome ?

Does somebody knows why this code is working with Firefox but not with Chrome ?

Arkaik
  • 852
  • 2
  • 19
  • 39

1 Answers1

1

The reason is stated in the error message:

The frame requesting access set "document.domain" to "domain.fr", but the frame being
accessed did not. Both must set "document.domain" to the same value to allow access

Same Origin Policy is based on the "tuple origin" term: scheme + host + port + domain. Origins are generally immutable, only the domain of a tuple origin can be changed, and only through the document.domain API (a port number will be additionally reset to null).

One of your frame with origin https://subdomain.domain.fr:443 sets the document.domain property to the https://domain.fr:null.
To allow it to have access to other iframes on the page, you have to set document.domain = "https://domain.fr" to all ot them. Or if it possible do not touch document.domain property at all for any iframe and main window.

It's somewhat strange why your code works in Firefox and doesn't work in Chrome - recent versions of both browsers support document.domain property the same way.

Pls note that document.domain property is deprecated, so is better to avoid using it if possible.

Refused to run the JavaScript URL

Looks like a Content Security Policy blocks the <a href='void(0)'> constructions. It does not prevent link following, just block an javascript execution.

granty
  • 7,234
  • 1
  • 14
  • 21