claviska/jquery-minicolors

Check for same origin before using window.top

Open

#239 opened on Dec 27, 2017

View on GitHub
 (1 comment) (1 reaction) (0 assignees)JavaScript (955 stars) (322 forks)batch import
Help Wanted

Description

With https://github.com/claviska/jquery-minicolors/pull/207 top.document should be used to attach the event handlers. When the top window is from a different origin (e.g. the site is embedded in an iframe from a different origin) then access to window.top (and therefore top.document) is prohibited by the browser. This leads to the following exception: image

Therefore access to window.top should be avoided or at least there should be a check if its safe to acces it (try catch?).

edit: I don't know why, but there is a commit that reverts the changes from https://github.com/claviska/jquery-minicolors/pull/207 see https://github.com/claviska/jquery-minicolors/commit/106c1988adc488a8b0aba4adb2a61e90de2abaa0 But its not already releaset so that the current released version still contains the access of window.top

Contributor guide

Tech stack
javascript
Domain
frontendsecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
under 1 hour
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
jQuery basicssame origin policy
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
75
Research direction
Examine the jquery.minicolors.js file for the window.top.document access. Refer to PR #207 and commit 106c1988 that reverted the change. Implement a try catch or a same origin check to safely access top.document.