[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses

Darin Fisher darin at chromium.org
Thu Aug 12 20:33:39 PDT 2010

Matching IE and FF means we shouldn't suffer too much in terms of
incompatibilities.  Of course, there could be some WebKit specific content
out there that would break.

This seems like a worthwhile change to try out.


On Thu, Aug 12, 2010 at 8:08 PM, Mihai Parparita <mihaip at chromium.org>wrote:

> I was wondering if it would be a reasonable change to make accessing
> location.href (and other location properties) throw SECURITY_ERR when
> accessed across origins (https://webkit.org/b/43504). This initially was
> reported on the Chrome side (http://crbug.com/17325), but it looks like
> neither the JSC nor V8 bindings do this, so fixing it across the board
> seemed reasonable.
> From my investigations, it looks like IE and Gecko both throw an exception
> in this case, and the HTML5 spec mentions it too (
> http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location
> ).
> I realize that we're cautious around the access checks for security reasons
> (based on changes like https://trac.webkit.org/changeset/48619), but this
> seems safe since 1) we were returning control to the script at that point
> anyway 2) we already throw exceptions in some cases in that code:
> https://trac.webkit.org/browser/trunk/WebCore/bindings/js/JSLocationCustom.cpp#L219
> Thanks,
> Mihai
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20100812/eda891d2/attachment.html>

More information about the webkit-dev mailing list