[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses

Mihai Parparita mihaip at chromium.org
Thu Aug 12 20:08:01 PDT 2010


I was wondering if it would be a reasonable change to make accessing
location.href (and other location properties) throw SECURITY_ERR when
accessed across origins (https://webkit.org/b/43504). This initially was
reported on the Chrome side (http://crbug.com/17325), but it looks like
neither the JSC nor V8 bindings do this, so fixing it across the board
seemed reasonable.

>From my investigations, it looks like IE and Gecko both throw an exception
in this case, and the HTML5 spec mentions it too (
http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location
).

I realize that we're cautious around the access checks for security reasons
(based on changes like https://trac.webkit.org/changeset/48619), but this
seems safe since 1) we were returning control to the script at that point
anyway 2) we already throw exceptions in some cases in that code:
https://trac.webkit.org/browser/trunk/WebCore/bindings/js/JSLocationCustom.cpp#L219

Thanks,
Mihai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20100812/a042e9ef/attachment.html>


More information about the webkit-dev mailing list