MAGETWO-65598: [GitHub][PR] Prevent cross origin iframe content reading #8005

Oleksii Korshenko · web-flow · commit 45c1bbaf9b1c · 2017-03-22T09:45:08.000-05:00
diff --git a/app/code/Magento/PageCache/view/frontend/web/js/page-cache.js b/app/code/Magento/PageCache/view/frontend/web/js/page-cache.js
@@ -41,12 +41,17 @@ define([
          * @param {jQuery} element - Comment holder
          */
         (function lookup(element) {
-            if ($.nodeName(element, 'iframe') && $(element).prop('src').indexOf(window.location.hostname) === -1) {
-                return [];
+            // prevent cross origin iframe content reading
+            if ($(element).prop('tagName') === 'IFRAME') {
+                var iframeHostName = $('<a>').prop('href', $(element).prop('src'))
+                                             .prop('hostname');
+
+                if (window.location.hostname !== iframeHostName) {
+                    return [];
+                }
             }
-            $(element).contents().each(function (index, el) {
-                var hostName, iFrameHostName;
 
+            $(element).contents().each(function (index, el) {
                 switch (el.nodeType) {
                     case 1: // ELEMENT_NODE
                         lookup(el);
@@ -57,14 +62,7 @@ define([
                         break;
 
                     case 9: // DOCUMENT_NODE
-                        hostName = window.location.hostname;
-                        iFrameHostName = $('<a>')
-                            .prop('href', $(element).prop('src'))
-                            .prop('hostname');
-
-                        if (hostName === iFrameHostName) {
-                            lookup($(el).find('body'));
-                        }
+                        lookup($(el).find('body'));
                         break;
                 }
             });
diff --git a/dev/tests/js/jasmine/tests/app/code/Magento/PageCache/frontend/js/page-cache.test.js b/dev/tests/js/jasmine/tests/app/code/Magento/PageCache/frontend/js/page-cache.test.js
@@ -60,7 +60,7 @@ define([
 
         it('on iframe from other host returns empty Array', function () {
             iframe.contents().find('body').html(comment);
-            iframe.attr('src', '//' + host + '.otherHost/');
+            iframe.attr('src', '//' + host + '.otherHost/?origin_url=' + host);
 
             expect(iframe.comments().length).toEqual(0);
         });
