[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses (revisited).
Adam Barth
abarth at webkit.org
Mon Feb 4 08:48:50 PST 2013
Given the consistency of other user agents, this looks like the right thing
to do for the web. We should try it in Canary to see if it's compatible
with the web.
Adam
On Feb 4, 2013 5:05 AM, "Mike West" <mkwst at chromium.org> wrote:
> Way back in the depths of 2010, Mihai suggested that we begin to throw
> exceptions when accessing Location properties across origins[1]. Currently,
> we log a "Unsafe JavaScript attempt to access..." message to the console,
> and return null. Hit http://talkingpointsmemo.com/ with the console open
> for an example of how this can get out of hand.
>
> At the moment, IE, Firefox, and Opera all throw an exception here, and the
> spec agrees with this behavior[2]. Given this bifurcation, developers are
> generally forced to have two paths for code that touches Location: one for
> WebKit, one for everyone else. They're generally not able to avoid the
> error message (though `ancestorOrigins` should now address some of the use
> case), which is a bit annoying.
>
> Anecdotally, I see this message quite often when browsing around with the
> console open in Canary, and practically never when doing the same in
> Firefox. This is something I'd like to address.
>
> I've resurrected the JSC side of Mihai's old patch[3], where this was
> discussed some more. Before getting too far along with that, however:
> Maciej, Sam, others, WDYT?
>
> [1]: https://lists.webkit.org/pipermail/webkit-dev/2010-August/013880.html
> [2]:
> http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location
> [3]: https://bugs.webkit.org/show_bug.cgi?id=43891
>
> -mike
>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130204/5f4f3ca4/attachment.html>
More information about the webkit-dev
mailing list