[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses (revisited).

Mike West mkwst at chromium.org
Mon Feb 4 05:04:42 PST 2013

Way back in the depths of 2010, Mihai suggested that we begin to throw
exceptions when accessing Location properties across origins[1]. Currently,
we log a "Unsafe JavaScript attempt to access..." message to the console,
and return null. Hit http://talkingpointsmemo.com/ with the console open
for an example of how this can get out of hand.

At the moment, IE, Firefox, and Opera all throw an exception here, and the
spec agrees with this behavior[2]. Given this bifurcation, developers are
generally forced to have two paths for code that touches Location: one for
WebKit, one for everyone else. They're generally not able to avoid the
error message (though `ancestorOrigins` should now address some of the use
case), which is a bit annoying.

Anecdotally, I see this message quite often when browsing around with the
console open in Canary, and practically never when doing the same in
Firefox. This is something I'd like to address.

I've resurrected the JSC side of Mihai's old patch[3], where this was
discussed some more. Before getting too far along with that, however:
Maciej, Sam, others, WDYT?

[1]: https://lists.webkit.org/pipermail/webkit-dev/2010-August/013880.html
[3]: https://bugs.webkit.org/show_bug.cgi?id=43891

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130204/62c7a6e5/attachment.html>

More information about the webkit-dev mailing list