[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses

Jeremy Orlow jorlow at chromium.org
Fri Aug 13 02:12:32 PDT 2010

On Fri, Aug 13, 2010 at 8:42 AM, Maciej Stachowiak <mjs at apple.com> wrote:

> On Aug 12, 2010, at 8:08 PM, Mihai Parparita wrote:
> I was wondering if it would be a reasonable change to make accessing
> location.href (and other location properties) throw SECURITY_ERR when
> accessed across origins (https://webkit.org/b/43504). This initially was
> reported on the Chrome side (g <http://crbug.com/17325>iv), but it looks
> like neither the JSC nor V8 bindings do this, so fixing it across the board
> seemed reasonable.
> From my investigations, it looks like IE and Gecko both throw an exception
> in this case, and the HTML5 spec mentions it too (
> http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location
> ).
> I realize that we're cautious around the access checks for security reasons
> (based on changes like https://trac.webkit.org/changeset/48619), but this
> seems safe since 1) we were returning control to the script at that point
> anyway 2) we already throw exceptions in some cases in that code:
> https://trac.webkit.org/browser/trunk/WebCore/bindings/js/JSLocationCustom.cpp#L219
> I think what we do is better than what HTML5 specifies for this:
> 1) It means the access control goes in fewer places - we don't have to have
> access control on every document property, only window properties.
> 2) If access is denied for security reasons, it seems like it gives the
> attacker less information and less potential attack surface to just give
> them an undefined value instead of raising a security exception. Security
> errors make it easier to probe.
> So in general I'm not in a rush to change this. However, if the original
> bug involved a compatibility problem on a real site (it doesn't really say),
> then maybe that would be a stronger reason to change.
> Regards,
> Maciej

If we're willfully going against the spec because we think our solution is
better, should this be brought up on WhatWG or in the HTML WG?  (Or has it

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20100813/16bfa79e/attachment.html>

More information about the webkit-dev mailing list