[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses

Rob Barreca rob at sproutinc.com
Tue Sep 7 16:59:39 PDT 2010

On Thu, Aug 26, 2010 at 7:20 AM, Geoffrey Garen <ggaren at apple.com> wrote:

> Isn't empty string sufficient to indicate lack of access? What unique
> information does an exception provide?

Sorry for the delay in my response. Had a big couple weeks there.

So initially, I was testing for empty string but in all instances of iOS and
Android I would get the empty string back. This is correct behavior since I
was trying to read a different-origin parent's URL, which shouldn't be
allowed. But that didn't give me enough information.

The problem in our scenario is that even though I cannot *read
in all versions of iOS and Android, all of those environments will allow me
to *write* top.location.href and send the user away...except for Android
2.2. So I suppose my hope was that an exception while attempting to
*write* would
let me know that the write was going to fail, and I should do
window.open(url) instead.

It's not a huge problem and it seems technically we should just by
defaulting to window.open(url) even though most mobile environments allow
writing to top.location.href even if the top window is different-origin.

>> and even if we could read the href the big problem at least in Android
> 2.2 is that (2) the browser refreshes the page when the unsafe JS access
> happens so the user is already being navigated away in essence.
> > Can you provide more information about this?
> > Is this intentional behavior, or just a bug in Android?

So after thinking about it more, my problem is that Android 2.2 is dealing
with the write in a weird way versus previous Android versions and iOS.


> Does the browser refresh upon reads and writes of location.href, or only
> writes?

Only writes, when I wrote "access" in the last email I meant "write".


Rob Barreca
Director of Development
Sprout, Inc.
Mobile: 808.224.1905

Confidential and Proprietary Property of Sprout; Do not distribute.  The
information contained in this email is confidential.  This information is
intended for use only by the individual to whom it is addressed. If you are
not the intended recipient, you are hereby notified that any use,
dissemination, distribution or copying of this communication and its
contents is strictly prohibited. If you have received this email in error,
please immediately notify the sender by return email and delete this email
and attachments, and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20100907/9496f048/attachment.html>

More information about the webkit-dev mailing list