[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses

Sam Weinig sam.weinig at gmail.com
Mon Aug 16 14:16:57 PDT 2010


I am not sure I agree.  Does our behavior actually cause any real bugs in
the places you have tracked down?  The log spam really doesn't seem like an
issue, we can remove it if we want to, but have found it useful in the
past.

I agree with Maciej that the current behavior is in many ways better, so I
am not in a rush to change this just to be more spec compliant.

-Sam

On Mon, Aug 16, 2010 at 1:50 PM, Mihai Parparita <mihaip at chromium.org>wrote:

> I was wondering if there are any other thoughts on this. It seems like
> there's real-world need from this (based on the usages I tracked down, and
> log spam problem) and all other browsers (and the HTML5 spec) have the
> exception-throwing behavior.
>
> Thanks,
> Mihai
>
>
> On Fri, Aug 13, 2010 at 10:19 AM, Mihai Parparita <mihaip at chromium.org>wrote:
>
>> On Fri, Aug 13, 2010 at 9:59 AM, Mihai Parparita <mihaip at chromium.org>
>> wrote:
>> > I've asked Joseph (the original reporter of http://crbug.com/17325)
>> > where he ran into this.
>>
>> Joseph replied and said "While there is a proprietary web app that
>> relies on this, but it is used at a small company I no longer work for
>> and have no access to. However, I do remember it being a little
>> frustrating developing around this since Firefox and IE both throw the
>> exception."
>>
>> The other reason why throwing the exception might be preferable is to
>> avoid console log "spam". For example, http://www.nytimes.com/ has
>> lots of iframes that (for whatever reason) reach into the parent (or
>> vice-versa). In Safari and Chrome, the console has 6 "unsafe
>> JavaScript access" messages, which the developer can't avoid, even if
>> they're expecting possible errors (in Firefox there's only 1, so I
>> assume at least some of their JS has try/catch blocks around
>> cross-origin access). If we replace the printErrorMessageForFrame call
>> with setDOMException(exec, SECURITY_ERR) then developers who catch the
>> exception can avoid the log message.
>>
>> Mihai
>>
>
>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20100816/cfd0897c/attachment.html>


More information about the webkit-dev mailing list