[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses

Mihai Parparita mihaip at chromium.org
Thu Aug 12 20:08:01 PDT 2010

I was wondering if it would be a reasonable change to make accessing
location.href (and other location properties) throw SECURITY_ERR when
accessed across origins (https://webkit.org/b/43504). This initially was
reported on the Chrome side (http://crbug.com/17325), but it looks like
neither the JSC nor V8 bindings do this, so fixing it across the board
seemed reasonable.

>From my investigations, it looks like IE and Gecko both throw an exception
in this case, and the HTML5 spec mentions it too (

I realize that we're cautious around the access checks for security reasons
(based on changes like https://trac.webkit.org/changeset/48619), but this
seems safe since 1) we were returning control to the script at that point
anyway 2) we already throw exceptions in some cases in that code:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20100812/a042e9ef/attachment.html>

More information about the webkit-dev mailing list