[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses

[Rob Barreca]

On Wed, Aug 25, 2010 at 3:23 PM, Darin Adler <darin at apple.com> wrote:

> Does checking the value of window.top.location.href afterward work? Or
> maybe that doesn’t happen until some unpredictable amount of time later when
> the load makes progress?
>

Hey Darin, thanks for the reply. Unfortunately checking the href afterward
does not work. A couple problems, (1) we can't access the value at all
because the browser prevents the actual reading of the value since
window.top is different-origin so it comes back empty string, and even if we
could read the href the big problem at least in Android 2.2 is that (2) the
browser refreshes the page when the unsafe JS access happens so the user is
already being navigated away in essence.

Right now we have a big hack detecting Android 2.2 and always opening links
with window.open(), but I know there are other WebKit use-cases we'll need
to account for that we haven't got a good repro on yet. Being able to detect
different-origin cases ahead of time (or try/catch) would really improve the
user experience of this IFRAMEd content.

Best,

-- 
Rob Barreca
Director of Development
Sprout, Inc.
Mobile: 808.224.1905

Confidential and Proprietary Property of Sprout; Do not distribute.  The
information contained in this email is confidential.  This information is
intended for use only by the individual to whom it is addressed. If you are
not the intended recipient, you are hereby notified that any use,
dissemination, distribution or copying of this communication and its
contents is strictly prohibited. If you have received this email in error,
please immediately notify the sender by return email and delete this email
and attachments, and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20100825/00d73219/attachment.html>