search

yiisoft / yii2-debug

Debug Extension for Yii 2
http://www.yiiframework.com
BSD 3-Clause "New" or "Revised" License
202 stars 150 forks source link

Duplicate toolbar bugfix #423

Closed My6UoT9 closed 4 years ago

My6UoT9 commented 4 years ago

When document.domain is set for cross-origin reasons, window.frameElement can return null. Comparing window.top to window is safe, as when both objects are same it is no iframe.

https://developer.mozilla.org/en-US/docs/Web/API/Window/frameElement https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin

Q A
Is bugfix? ✔️
New feature?
Breaks BC?
Tests pass? ✔️
Fixed issues
samdark commented 4 years ago

How to reproduce it?

My6UoT9 commented 4 years ago

Add in backend a script to head section which alters the current origin, I believe it is required to have 2 levels of subdomain for this, as I think its not possible to set it to the tld test only.
So this is inserted in a page residing on admin.domain.test:
<script>document.domain="domain.test";</script>

Then just load the page, I get a duplicated toolbar (after clicking on the toolbar - so it opens), and debugging with devtools, reveals that window.frameElement returns null from the debug iframe. image

samdark commented 4 years ago

Interesting. Seems I need to update my understanding of iframes. Will get back after reading docs from links provided.

samdark commented 4 years ago

Merged. Thanks!