Bug 208200
| Summary: | A SecurityError is thrown when opening indexedDB in an iframe within a same subdomain tree | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Benoit F. <benoit.fleuriaud> |
| Component: | Website Storage | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | annevk, bfulgham, cdumez, marcosc, sihui_liu, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 13 | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://a.indigital.io | ||
| Bug Depends on: | |||
| Bug Blocks: | 165889 | ||
Benoit F.
If you open an IndexedDB connection in an iframe, it throws a SecurityError, that is completely normal if you are in a cross-origin context.
But what if you are in a domain, say "a.example.com", and you embed an iframe with "src" equal to "b.a.example.com".
The standard (https://html.spec.whatwg.org/multipage/origin.html#relaxing-the-same-origin-restriction) states that you can relax the same-origin restriction that would usually by applied by setting the "document.domain" to the same Second-Level Domain (SLD) in both parent and child contexts.
In my example, setting "document.domain" to "example.com" in the top window and the iframe window is legit and should put both in a same-origin context.
Here is a reproduction link (http://a.indigital.io) with a minimalist context. The iframe loads http://b.a.indigital.io, which is a subdomain of the opening window.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/88339063>
Anne van Kesteren
That is still cross-origin, though we might change that at some point to use same-site instead. Relaxing the restriction only applies to a select set of features and this is not one of them.
Nevertheless, these days you should not get an exception, but rather partitioned storage.