[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses

Mihai Parparita mihaip at chromium.org
Mon Aug 16 13:50:54 PDT 2010

I was wondering if there are any other thoughts on this. It seems like
there's real-world need from this (based on the usages I tracked down, and
log spam problem) and all other browsers (and the HTML5 spec) have the
exception-throwing behavior.


On Fri, Aug 13, 2010 at 10:19 AM, Mihai Parparita <mihaip at chromium.org>wrote:

> On Fri, Aug 13, 2010 at 9:59 AM, Mihai Parparita <mihaip at chromium.org>
> wrote:
> > I've asked Joseph (the original reporter of http://crbug.com/17325)
> > where he ran into this.
> Joseph replied and said "While there is a proprietary web app that
> relies on this, but it is used at a small company I no longer work for
> and have no access to. However, I do remember it being a little
> frustrating developing around this since Firefox and IE both throw the
> exception."
> The other reason why throwing the exception might be preferable is to
> avoid console log "spam". For example, http://www.nytimes.com/ has
> lots of iframes that (for whatever reason) reach into the parent (or
> vice-versa). In Safari and Chrome, the console has 6 "unsafe
> JavaScript access" messages, which the developer can't avoid, even if
> they're expecting possible errors (in Firefox there's only 1, so I
> assume at least some of their JS has try/catch blocks around
> cross-origin access). If we replace the printErrorMessageForFrame call
> with setDOMException(exec, SECURITY_ERR) then developers who catch the
> exception can avoid the log message.
> Mihai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20100816/1635214d/attachment.html>

More information about the webkit-dev mailing list