[Webkit-unassigned] [Bug 187411] New: Accessing response getter of XHR instance from IFRAME sets constructor to Object from the IFRAME

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=187411

            Bug ID: 187411
           Summary: Accessing response getter of XHR instance from IFRAME
                    sets constructor to Object from the IFRAME
           Product: WebKit
           Version: Safari 11
          Hardware: Macintosh
                OS: macOS 10.13
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cvazac at gmail.com

Created attachment 344453

  --> https://bugs.webkit.org/attachment.cgi?id=344453&action=review

test case

Scenario:
base page with one same-origin IFRAME
base page creates an XMLHttpRequest instance

Issue:
If the IFRAME adds a `readystatechange` listener to the XMLHttpRequest instance, and it reads the response getter before the `top` context does, the `constructor` of the object will be equivalent to `iframe.contentWindow.Object`, not `top.Object`. 

This "works" in other browsers, including Safari 10.0.1.

Works in 604.5.6.
Fails in 605.1.15.

Code executed in the IFRAME:
xhr.addEventListener('readystatechange', function(){
  xhr.response
})

>From this point forward:
xhr.response.constructor === iframe.contentWindow.Object
xhr.response.constructor !== top.Object


See https://cvazac.netlify.com/xhr-response-constructor/ for reproducible case.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180706/6a497496/attachment-0001.html>