[TYPO3-core] RFC: #13828: Login cause JS error if not in frame (access to parent is not allowed)

Ernesto Baschny [cron IT] ernst at cron-it.de
Tue Mar 16 19:42:33 CET 2010


Steffen Kamper schrieb am 16.03.2010 19:18:
> Hi,
> 
> Ernesto Baschny [cron IT] schrieb:
>> Steffen Kamper schrieb am 16.03.2010 18:53:
>>
>>> ok, i try again :)
>>>
>>> Your BE login is http://domain/typo3
>>>
>>> Now create a link to this login page anywhere and click it. The error
>>> arise on the login page, because the parent.opener is filled (you come
>>> from another window). You don't have to login, just the login page
>>> loaded.
>>
>> OK, I give up. Unable to reproduce.
>>
>> parent.opener from external link is always "null" for me (so further
>> checks are skipped anyway). I tried to open the link with
>> "window.open('/typo3/')" via javascript, then I have a parent.opener,
>> but then parent.opener.TS is undefined, which also then skipped the
>> remaining conditions.
>>
>> So how do you create a parent.opener that is either NULL nor accessible??
>>
> 
> i don't create anything ;) parent is Window and opener is undefined. The
> link i use is on a different domain, so JS tries to access parent.opener
> but this is not allowed (cross domain) and the error is thrown.

The current condition is:

if (parent.opener && parent.opener.TS && parent.opener.TS.username &&
     document.loginform && document.loginform.username)

If parent is Window and opener is "undefined", as you are saying, you
will never get to the "parent.opener.TS" part (which is what is showing
your Firebug error screenshot), because the first condition will already
be unmet.

So you managed to create a link which sets "parent.opener" to something
that is not allowed (cross domain), which I was not able to do. My links
(be it from bookmarks, from links on other pages etc) always end up with
parent.opener="null" (meaning undefined, so no thrown error).

> more simple to reproduce, if you have a localhost: create a bookmark
> to your login page of any domain and use it.

I have a "localhost" (who doesn't? hehe).

So I am sorry, but I will have to pass this over to other reviewers to test.

But I can give you a "+1" by reading, as this situation aparently pops
up (at least for you) and catching that exception is clearly solves it.

Cheers,
Ernesto


More information about the TYPO3-team-core mailing list