The same domain check here is clearly broken and wrong. You can't catch a
same origin policy violation on most browsers.
The only way to legitimately check that it's the same origin ("same domain")
is to require that the host, port, and protocol of the parent parameter
match that of the current domain, and then just assume that it's ok to fail
if the parent page is lying about its own value.
On Thu, Dec 4, 2008 at 12:54 AM, Chris Chabot <[EMAIL PROTECTED]> wrote:
> Hey guys, I *thought* I was all ready to go for a 1.0.0 release, every
> little (but important) bug I knew of was fixed, but at the last moment a
> svn
> update broke something in (what seems to be) the RPC code.
>
> This bit of code:
> 9098 function callSameDomain(target, rpc) { 9090 if (typeof
> sameDomain[target] === 'undefined') {
> 9091 // Seed with a negative, typed value to avoid
> 9092 // hitting this code path repeatedly
> 9093 sameDomain[target] = false;
> 9094 var targetEl = null;
> 9095 if (target === '..') {
> 9096 targetEl = parent;
> 9097 } else {
> 9098 targetEl = frames[target];
> 9099 }
> 9100 try {
> 9101 // If this succeeds, then same-domain policy applied
> 9102 sameDomain[target] = targetEl.gadgets.rpc.receiveSameDomain;
> 9103 } catch (e) {
> 9104 // Usual case: different domains
> 9105 }
> 9106 }
>
> (sorry for the firebug line # spam) causes the following error in FF3:
>
> Permission denied to call method Location.toString
> callSameDomain()ifr?synd...375419175 (line 9102)
> call()()ifr?synd...375419175 (line 9248)
> adjustHeight()()ifr?synd...375419175 (line 9502)
> onLoadedData(Object responseItems_=Object
> globalError_=false)ifr?synd...375419175
> (line 10912)
> sendResponse()(Object 0=Object 1=Object 2=Object 3=Object 4=Object
> 5=Object)ifr?synd...375419175
> (line 7521)
> processNonProxiedResponse("
>
> http://shindig/social/rpc?st=UXpWVHZ0TTElMkJQbk9MQjJFWXU1cEJmSjVuU1dHaGZQZ21mdVVWUktCY0xwZldYeWNVaXhpS0p4MGF3Qlpmemx3enRqQUJoUDlGTDBaejlwd0JIJTJGaWhWcGklMkJKOGd2RVdHWjdHZjVtc1BkRUF0Wmo3Z1VLNXZHc1RvcTBRd2pLSzhxYU0zb3F1S2plVGxBSzQ0ckE5ekdSZXVIdHF4TUo2RjUlMkJJRFdldlV6MjJHN2ZUQklCR29ubmFBcng4RDNKMFBNU2MwSFElM0QlM0Q%3D
> ", function(), Object CONTENT_TYPE=JSON METHOD=POST AUTHORIZATION=SIGNED,
> XMLHttpRequest)ifr?synd...375419175 (line 1603)
> (?)()()ifr?synd...375419175 (line 411)
> sameDomain[target] = targetEl.gadgets.rpc.receiveSameDomain;
>
> In safari and chrome (and presumably IE) this is working fine, so it's a
> FF3
> specific issue as far as i've been able to test.
>
> The problem is that this is breaking every major gadget that I can test ...
> so a 'blocker' is not an understatement here.
>
> Unfortunately my knowledge of the RPC JS code is to limited to be able to
> say anything sensible about this, so I'm hoping someone with more of a clue
> will be able to guess what's going on here!
>
> The problem is easily reproducible on:
> http://www.partuza.nl/profile/application/1/833/2992
>
> I'm not a 100% sure on what changed, but all I can offer is "It used to
> work" :)
>
> -- Chris
>
