chrome window acts like an iframe (when running with disabled web security)

[Ben Amsalem]

Hi, 

I launch chrome with `--disable-web-security` flag for testing purposes", then my html page is loaded(http://my.page.com/), and opens a new tab using `var wnd1 = window.open('https://other.domain.com')`. When the new page is loaded (in a new tab), I can execute some javascript on the new window object, for instance: `wnd1.document.querySelector(".class1 p")`. So far everything makes sense.

Then again, I open a page from different domain:  `var wnd2 = window.open('https://different.domain2.com')`, and try to access its document with javascript code: `wnd2.document`, but now I get an error that looks related to iframes: "Uncaught DOMException: Blocked a frame with origin "http://my.page.com" from accessing a cross-origin frame.

    at <anonymous>:1:4"

This error occurs only with specific domains (in contrast to "regular" domains - msn.com, google.com, etc., which I can open and execute JS code on). Any header that makes it act like an iframe? some other protection methods? 

[Daniel Cheng]

The exception you're seeing is the generic error thrown for a same-origin policy violation when an access check fails; it's not specific to iframes.

It is surprising that you're seeing it with --disable-web-security, since the whole point is to disable the same-origin policy. https://bugs.chromium.org/p/chromium/issues/detail?id=812501 was reported fairly recently; if you have reliable repro steps that work in a clean profile that you're willing to share, that would be useful input on the bug.

Daniel

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/6eec2ffb-7192-42f8-bfa0-9d45e3d38978%40chromium.org.

[PhistucK]

It might have something to do with site isolation (you cannot access JavaScript objects of a different process)?

I guess the site isolation feature is going to defeat most of the purpose of this flag.

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAF3XrKo30NtWi%2BBN-m%3DtL%2BvPo7qANGa8_rASFWZxzgh6USci6A%40mail.gmail.com.

[Ben Amsalem]

I'm not sure it's the usual same-origin policy, cause I can execute JS from my domain on some different-domain pages (google.com, msn.com) and it occurs only for other specific domains (accounts.google.com for example). I want to build a page that will act the same way as scripts.google.com acts, and I'm looking for whatever I need to add to my page.

[Ben Amsalem]

You are right, when I open a new tab of accounts.google.com, a new process is launched. There is a way to have my own site opened in a new process(when opened with `window.open`), or it's something hard coded in chrome for specific domain names only?

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

[Mihai Sardarescu]

CC+ Alex.

Site isolation is enforced for accounts.google.com (and has been enforced since M64) for security reasons. We are using this origin to sign in to Chrome so it needs to always run in an safe renderer process.

- Mihai