js exception with iframe

[wilhub]

When allowing webmin inside iframe (no_frame_options=1 in config), i get some js exception :

Uncaught SecurityError: 
Blocked a frame with origin "..." from accessing a frame with origin "...". Protocols, domains, and ports must match.

Click on menu items is broken

Prepending this line to loader.min.js works.

try { window.parent.$; } catch (e) { window.parent = window; }

[iliajie]

Thanks. I edited /etc/webmin/config and put there proposed line. Restarted Webmin - all is fine? How could I reproduce it?

[iliajie]

On the other hand I don't see how posted code would fix it? It's the problem of same origin policy and I don't see how it's related to the theme. Theme loads things based on what Webmin supplies to it.

Webmin librariy has the following:

if (!$gconfig{'no_frame_options'}) {
    print "X-Frame-Options: SAMEORIGIN\n";
}

Which means if there is no option no_frame_options or this option set to 0, then X-Frame-Options: SAMEORIGIN is inserted, which at the same time mean:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

What is the way that you run Webmin? Do you use Apache or inbuilt minserv?

[wilhub]

Problem is about accessing window.parent properties, not about X-Frame-Options.
I forgot to mention that the page domain and the iframe domain are different in my case.
For exemple a page http://abc.domain.com including a <iframe src="http://webmin.domain.com" ></iframe>

[iliajie]

I see. From my perspective of view, it's not going to work, unless you disable (if allowed by your browser) same origin policy protection. Please read more about it. It's security flaw but possible to do.

http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome

It's irrelevant to the theme, I think, unless you convince me otherwise. You might also be interested with taking a look at no_content_security_policy option.

[wilhub]

loader.min.js and default.min.js use window.parent.
They are both loaded inside main webmin window [a] and it's iframe [b] (with attribute name="page").

When iframe [b] use window.parent, it refer to webmin window [a].
When webmin window [a] use window.parent, it refer to itself (window.parent === window).
But if webmin window [a] is embed inside a iframe and use window.parent, it don't refer to itself, but to the window [c] containing the webmin iframe window [a].
In this case, window.parent shouldn't be used and refer to window outside the webmin application.
This throw an exception because [a] and [c] domains mismatch.

try { window.parent.$; } catch (e) { window.parent = window; } is testing $ property access in window.parent. If it throw an exception, window.parent = window is evaluated and window.parent refer again to itself as in original case.

Setting no_content_security_policy=1 which remove Content-Security-Policy doesn't solve the issue.

[iliajie]

Oh, that! Alright, it sounds correct then. Sorry! What if I make sure that while being in window.parent, my theme's scripts, would not call to window.parent but only to window (to it's self)? Or you think it's easier to add try/catch statement? Only loader.min.js and default.min.js causing issues in your case senario?

[wilhub]

Yes, only this two file.
try/catch is the easier way i think, without code change.
Or you can use a test, which seems cleaner. Like

if (window.name === "page") {
// page iframe
}
else {
// main window
// don't use window.parent
}

[iliajie]

This is actually pretty close to what I do to define frames, I just use

if (window.location == window.parent.location) {

}
 else {

}

Alright, I will test try { window.parent.$; } catch (e) { window.parent = window; } and as you say it's working for you I will add it to the top of those 2 files.

[wilhub]

Thank you, and the theme too!

[iliajie]

You are very welcome!