Cross Domain JavaScript parent location setting firefox error

Question

Here is the case:
page A contains iframe B, B contains iframe C, A and B are under the same domain, C under another.
C tries to reset parent B's location with extra information following "#" to solve cross domain communication using Fragment Id Messaging.

IE6/7/8 just works fine with this case, while Firefox blocks parent.location setting with error message [Access to property denied" code: "1010]. But if B is the top window, meaning there is no A, Firefox lives too.

It's strange to me... Could you guys please help?

Thank you!

Answer 1

Historically, any window could change the location of any other window. This turned out to be a problem because, among other things, it meant embedding a login iframe in a window was unsafe (because then a malicious site could replace the login iframe with a spoofed version). Over time further restrictions have been applied to location changes to browser windows, until now, when HTML5 and most browsers have reached common agreement on the ancestor policy. In a nutshell, paraphrasing the HTML5 specification, a window A can change the location of another window B iff:

• the locations of A and B have the same origin, which is to say they have the same scheme, host, and port (http, stackoverflow.com, 80 for example), or
• B is a top-level window, and A is a window in a frame nested at some depth within B (direct child, child of a child, etc.), or
• B is a window opened using window.open and A can change the location of the window that opened B (so B is a popup opened by A, by a popup window opened by A, or at greater depth), or
• B isn't a top-level window, but its parent window, or its parent's parent window, or at some similar amount of parentage the locations of that window and A are same-origin

(Same origin is more complicated than this, but the embedded description above catches its essence and covers the most common cases.)

Under this policy, C may change the location of A, and A may change the location of B or C, but C may not change the location of B. If you need to work around this, then you should change your page A's location to something that changes B as appropriate; alternately, you could ask your page B to change its own location.

Hopefully that's informative, if not necessarily helpful. The browser security model wasn't so much designed as evolved, and only with recent work in HTML5 is it really being precisely nailed down to address these cross-browser inconsistencies.

All that said, I'm surprised IE7 and IE8 work for you -- it was my understanding the above policy was primarily based upon the policy IE7 implemented.