Bug 154779

Summary: Prevent cross-origin access to Location.assign() / Location.reload()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, commit-queue, sam
Priority: P2 Keywords: WebExposed
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
URL: https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-)
Attachments:
Description Flags
Patch none

Description Chris Dumez 2016-02-27 12:47:54 PST 
Prevent cross-origin access to Location.assign() / Location.reload() to match the latest specification:
https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-)

Firefox and Chrome already prevent this but Safari allows it.

We should only allow cross origin access to Location.replace() and the Location.href setter.
Comment 1 Chris Dumez 2016-02-27 13:27:20 PST 
Created attachment 272421 [details]
Patch
Comment 2 WebKit Commit Bot 2016-02-27 16:50:22 PST 
Comment on attachment 272421 [details]
Patch

Clearing flags on attachment: 272421

Committed r197263: <http://trac.webkit.org/changeset/197263>
Comment 3 WebKit Commit Bot 2016-02-27 16:50:26 PST 
All reviewed patches have been landed.  Closing bug.