[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses

Geoffrey Garen ggaren at apple.com
Thu Aug 26 10:20:31 PDT 2010


> (1) we can't access the value at all because the browser prevents the actual reading of the value since window.top is different-origin so it comes back empty string,

Isn't empty string sufficient to indicate lack of access? What unique information does an exception provide?

> and even if we could read the href the big problem at least in Android 2.2 is that (2) the browser refreshes the page when the unsafe JS access happens so the user is already being navigated away in essence.

Can you provide more information about this?

Is this intentional behavior, or just a bug in Android?

Does the browser refresh upon reads and writes of location.href, or only writes?

Thanks,
Geoff



More information about the webkit-dev mailing list