[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses

Mihai Parparita mihaip at chromium.org
Fri Aug 13 10:19:40 PDT 2010

On Fri, Aug 13, 2010 at 9:59 AM, Mihai Parparita <mihaip at chromium.org> wrote:
> I've asked Joseph (the original reporter of http://crbug.com/17325)
> where he ran into this.

Joseph replied and said "While there is a proprietary web app that
relies on this, but it is used at a small company I no longer work for
and have no access to. However, I do remember it being a little
frustrating developing around this since Firefox and IE both throw the

The other reason why throwing the exception might be preferable is to
avoid console log "spam". For example, http://www.nytimes.com/ has
lots of iframes that (for whatever reason) reach into the parent (or
vice-versa). In Safari and Chrome, the console has 6 "unsafe
JavaScript access" messages, which the developer can't avoid, even if
they're expecting possible errors (in Firefox there's only 1, so I
assume at least some of their JS has try/catch blocks around
cross-origin access). If we replace the printErrorMessageForFrame call
with setDOMException(exec, SECURITY_ERR) then developers who catch the
exception can avoid the log message.


More information about the webkit-dev mailing list