diff options
| author |  Jesse Hallett <jesse@galois.com> | 2013-12-18 13:53:51 -0800 |
|---|---|---|
| committer | Jesse Hallett <jesse@galois.com> | 2013-12-18 13:59:07 -0800 |
| commit | 7ead4cef0a6f9621d76997fbced49dab3df51cfb (patch) | |
| tree | 526c89b149565c11ae0654049fec2bab6d902c85 | |
| parent | 6c8db8b9bd08a24b099b5061385b095c3d51b9b2 (diff) | |
Avoids traversing frames from different origins
Attempting to access the document of a frame loaded from an different
origin than the page was loaded from results in an exception.
| -rw-r--r-- | src/js/fiveui/injected/prelude.js | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/js/fiveui/injected/prelude.js b/src/js/fiveui/injected/prelude.js index 250488f..af98341 100644 --- a/src/js/fiveui/injected/prelude.js +++ b/src/js/fiveui/injected/prelude.js @@ -19,6 +19,8 @@ * limitations under the License. */ +/*global $5: true */ + /** * The FiveUI Prelude. * @@ -64,7 +66,9 @@ fiveui.query = function (sel, context) { var ctx = context || document; var $results = jQuery(sel, ctx); - jQuery('iframe, frame', ctx).each( + jQuery('iframe, frame', ctx) + .filter(function(idx, frame) { return sameOrigin(frame); }) + .each( function(idx, elt) { var $tempResults; if (elt.contentDocument) { @@ -89,6 +93,14 @@ fiveui.query = function (sel, context) { fiveui.stats.numElts += $filteredResults.length; return $filteredResults; + + // Frames are considered to be from the same origin if their location + // hosts, ports, and schemes are the same. + function sameOrigin(frame) { + var src = frame.src; + var origin = window.location.origin; + return src.indexOf(origin) === 0 && src.charAt(origin.length) !== ':'; + } }; /** @@ -287,7 +299,7 @@ fiveui.color.rgbToHex = function (r, g, b) { }; /** - * Convert a 3-byte hex value to base-10 RGB + * Convert a 3-byte hex value to base-10 RGB */ fiveui.color.hexToRGB = function (hex) { var result = /^#?([a-f\d]{2})([a-f\d]{2})([a-f\d]{2})$/i.exec(hex); @@ -421,7 +433,7 @@ fiveui.color.contrast = function(lum1, lum2) { /** * Computationally determine the actual displayed background color for - * an object. This accounts for parent colors that may appear when + * an object. This accounts for parent colors that may appear when * a bg color is unspecified, or fully transparent. * * It does not account for elements that are shifted out of their @@ -476,7 +488,7 @@ fiveui.color.findBGColor = function(obj) { /** * Combines two colors, accounting for alpha values less than 1. - * + * * @param {color} top The color "on top" * @param {color} bot The color "on bottom" * @return {color} the composite RGBA color. |