[webkit-dev] Throwing SECURITY_ERR on cross-origin window.location property accesses (revisited).

Maciej Stachowiak mjs at apple.com
Mon Feb 4 09:21:54 PST 2013

On Feb 4, 2013, at 5:04 AM, Mike West <mkwst at chromium.org> wrote:

> Way back in the depths of 2010, Mihai suggested that we begin to throw exceptions when accessing Location properties across origins[1]. Currently, we log a "Unsafe JavaScript attempt to access..." message to the console, and return null. Hit http://talkingpointsmemo.com/ with the console open for an example of how this can get out of hand.
> At the moment, IE, Firefox, and Opera all throw an exception here, and the spec agrees with this behavior[2]. Given this bifurcation, developers are generally forced to have two paths for code that touches Location: one for WebKit, one for everyone else. They're generally not able to avoid the error message (though `ancestorOrigins` should now address some of the use case), which is a bit annoying.

If Web developers legitimately have a reason to touch Location properties without knowing if it's allowed, then the exception approach seems better. Also better to align with other UAs.

 - Maciej

> Anecdotally, I see this message quite often when browsing around with the console open in Canary, and practically never when doing the same in Firefox. This is something I'd like to address.
> I've resurrected the JSC side of Mihai's old patch[3], where this was discussed some more. Before getting too far along with that, however: Maciej, Sam, others, WDYT? 
> [1]: https://lists.webkit.org/pipermail/webkit-dev/2010-August/013880.html
> [2]: http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location
> [3]: https://bugs.webkit.org/show_bug.cgi?id=43891
> -mike
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130204/f49d9ddb/attachment.html>

More information about the webkit-dev mailing list