Webkit’s cross-domain security issues explained_javascript skills

Here is a simple test page: IE and Firefox pop up "hello world", but Chrome, Safari, and Opera have no response.
The following is a small piece of test code (the domain is deliberately modified so that the parent page and the child page are different domain pages):
1. Parent page code:

Copy code The code is as follows:

<script> <br>document.domain = "nunumick.me"; <br>function doTest( ){ <br>alert('hello world'); <br>} <br></script>

2. Sub-page code:

Copy code The code is as follows:

<script> <br>try{ <br>top.name; <br>}catch(e){ <br>document.domain = 'nunumick.me'; <br>top.doTest(); <br>} <br></script>

The purpose of the above code is to try to access When an exception occurs, the domain is dynamically modified to achieve smooth access, but the webkit kernel browser rudely reports an error instead of throwing an interceptable exception, and other browsers run as expected.

chrome error message:

It is understood that the use of this type of try catch method to make safety feasibility judgments is not just an isolated phenomenon, such as DOJO

Copy the code The code is as follows:

try{
//see if we can access the iframe's location
//without a permission denied error
var iframeSearch = _getSegment(iframeLoc.href, "?");
//good, the iframe is same origin (no thrown exception)
if(document.title != docTitle){
// sync title of main window with title of iframe.
docTitle = this.iframe.document.title = document.title;
}
}catch(e){
//permission denied - server cannot be reached.
ifrOffline = true;
console.error("dojo.hash: Error adding history
entry. Server unreachable.");
}

again For example, FCKeditor

Copy code The code is as follows:

try{
if ( (/fcksource=true/i).test( window.top.location.search ) )
sFile = 'fckeditor.original.html' ;
}
catch (e) { /* Ignore it. Much probably we are insi
de a FRAME where the "top" is in another domain (security error). */ }

There are also many feedbacks from netizens: chrome bug report

The above code does not apply to chrome, safari, or opera. I checked some information and recorded it here:
1.html5 security location
2.webkit dev lists
As seen from the discussion messages of webkit developers , they admit this problem but are unwilling to correct it, holly shit!