CODEWITHSUNDEEP
javascriptfirefox
Miaonster
Miaonster

Reputation: 1522

firefox 13.0 cross domain localStorage access: Error: The operation is insecure

Today I upgrade my Firefox to 13.0. But something goes wrong with my javascript code.

There's a webpage A(www.xx.com) and webpage B(webim.xx.com). I embed B in A using iframe tag.

webpage A

first set the domain as 'xx.com'

<script>document.domain = 'xx.com';</script>

then create an iframe to load webpage B.

<script>
var iframe = document.createElement('iframe');
document.body.insertBefore(iframe, document.body.firstChild)
iframe.src = 'http://webim.xx.com';
</script>

webpage B set the domain as 'xx.com'

<script>document.domain = 'xx.com';</script>

Then I access the localStorage of webpage B.

On webpage A, execute code:

window.iframe.contentWindow.localStorage.setItem('a', 'a')

Then an error will be given:

Error: The operation is insecure.

In the previous versions or other browser, the code can execute normally.

Anybody knows why?

It's a bug?

And.. How to solve this problem? Thx.

Just now I found a way to fix this problem.

I can't access the localStorage directly, but I can call the function of the iframe which can call the localStroage of its own webpage.

/// webpage B
<script>
document.domain = 'xx.com';
var ls = { ///< ls is short for localStorage.
    setItem: function(k, v) {
        return localStorage.setItem(k, v);
    },
    getItem: function(k) {
        return localStorage.getItem(k);
    },
    removeItem: function(k) {
        return localStorage.removeItem(k);
    },
    clear: function(){
        return localStorage.clear();
    }
}
</script>

Then I call ls.setItem etc. to access the localStorage of the iframe.

/// webpage A
<script>iframe.ls.setItem('a', 'b');</script>

Even though I can solve this problem, why firefox 13.0 cause this problem?

Upvotes: 4

Views: 7532

Answers (1)

Boris Zbarsky
Boris Zbarsky

Reputation: 35064

The old Firefox behavior was buggy, and the bug got fixed. Per spec, setting document.domain should have absolutely no effect on the behavior of localStorage, so in your case you're trying to set localStorage for a different domain, which is not allowed.

See https://bugzilla.mozilla.org/show_bug.cgi?id=495337 and the localStorage spec for details.

Upvotes: 4

Related Questions