[Webkit-unassigned] [Bug 146785] toJSDOMWindow() does not handle objects that descend from the JS DOM Window (crashes on use)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 17 09:40:36 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=146785
Alexey Shvayka <shvaikalesh at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |shvaikalesh at gmail.com
See Also| |https://bugs.webkit.org/sho
| |w_bug.cgi?id=223758
--- Comment #19 from Alexey Shvayka <shvaikalesh at gmail.com> ---
Thank you for fixing the crash, Mark!
Per spec (step 1.1.2.3 of https://heycam.github.io/webidl/#dfn-attribute-getter), there is no prototype chain traversal.
`Object.create(window).location` should throw TypeError, like Gecko and Blink do.
Since 2015, WebIDL bindings were significantly improved, so https://bugs.webkit.org/show_bug.cgi?id=223758 just drops the prototype chain lookup.
Also, it's not safe & correct to perform getPrototypeDirect() unconditionally.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210517/7b92cd98/attachment-0001.htm>
More information about the webkit-unassigned
mailing list