fix(react-dom): check if iframe belongs to the same origin

The try / catch block doesn't catch cross domain security error but it doesn't affect the code execution flow. This mean that the code after the try / catch block will be executed. We can do the following To check if the parent page has access to the iframe document: ``javascript` let hasAccessToDocument = false; // declare an unitialized variable try { iframe.contentWindow.location.href; // try to access the iframe property hasAccessToDocument = href != null; // This line will be executed if it has access } catch (err) { // Catch block is not executed since the browser throws a cross-domain error } return hasAccessToDocument; // This value will be set to true if the parent page has access to the iframe content. ```
facebook · Mar 14, 2019 · c20f858 · c20f858
1 parent 2aabdf5
commit c20f858
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/packages/react-dom/src/client/ReactInputSelection.js b/packages/react-dom/src/client/ReactInputSelection.js
@@ -40,14 +40,31 @@ function isInDocument(node) {
   );
 }
 
+function isSameOriginFrame(iframe) {
+  let hasAccessToDocument = false;
+  try {
+    const href = iframe.contentWindow.location.href;
+    // This line is only invoked if the iframe belongs to the same domain
+    hasAccessToDocument = href != null;
+  } catch (err) {
+    // Catch block is not executed since the browser throws a cross-domain error
+  }
+
+  return hasAccessToDocument;
+}
+
 function getActiveElementDeep() {
   let win = window;
   let element = getActiveElement();
   while (element instanceof win.HTMLIFrameElement) {
     // Accessing the contentWindow of a HTMLIframeElement can cause the browser
     // to throw, e.g. if it has a cross-origin src attribute
     try {
-      win = element.contentWindow;
+      if (isSameOriginFrame(element)) {
+        win = element.contentWindow;
+      } else {
+        return element;
+      }
     } catch (e) {
       return element;
     }