[BUGFIX] Catch security exceptions in global JS module 93/45093/2
authorMarkus Klein <markus.klein@typo3.org>
Wed, 2 Dec 2015 15:39:21 +0000 (16:39 +0100)
committerAndreas Fernandez <typo3@scripting-base.de>
Fri, 4 Dec 2015 10:13:42 +0000 (11:13 +0100)
The storage JS module is loaded in the top window.
In case this windows has been opened by some other page
(different domain) then a security exception is thrown
by the browsers, which kills the execution.

Catch exceptions when accessing the opener to avoid
this particular edge case.

Resolves: #71857
Releases: master
Change-Id: Ifa19d1f70eae71ac46c66bb759580d82ce5b6c99
Reviewed-on: https://review.typo3.org/45093
Reviewed-by: Eckard Gehrke <eckard.gehrke@gmx.de>
Tested-by: Eckard Gehrke <eckard.gehrke@gmx.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
typo3/sysext/backend/Resources/Public/JavaScript/Storage.js

index 3c1858f..61531c3 100644 (file)
 define(['jquery'], function ($) {
        'use strict';
 
-       // fetch from opening window
-       if (window.opener && window.opener.TYPO3 && window.opener.TYPO3.Storage) {
-               return window.opener.TYPO3.Storage;
-       }
+       try {
+               // fetch from opening window
+               if (window.opener && window.opener.TYPO3 && window.opener.TYPO3.Storage) {
+                       return window.opener.TYPO3.Storage;
+               }
 
-       // fetch from parent
-       if (parent && parent.window.TYPO3 && parent.window.TYPO3.Storage) {
-               return parent.window.TYPO3.Storage;
-       }
+               // fetch from parent
+               if (parent && parent.window.TYPO3 && parent.window.TYPO3.Storage) {
+                       return parent.window.TYPO3.Storage;
+               }
 
-       // fetch object from outer frame
-       if (top && top.TYPO3.Storage) {
-               return top.TYPO3.Storage;
+               // fetch object from outer frame
+               if (top && top.TYPO3.Storage) {
+                       return top.TYPO3.Storage;
+               }
+       } catch (e) {
+               // This only happens if the opener, parent or top is some other url (eg a local file)
+               // which loaded the current window. Then the browser's cross domain policy jumps in
+               // and raises an exception.
+               // For this case we are safe and we can create our global object below.
        }
 
        // we didn't find an existing object, so create it