Bug 154779

Summary:

Prevent cross-origin access to Location.assign() / Location.reload()

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

DOM

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, commit-queue, sam

Priority:

Keywords:

WebExposed

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

URL:

https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-)

Attachments:

Description	Flags
Patch	none

Chris Dumez

Reported 2016-02-27 12:47:54 PST

Prevent cross-origin access to Location.assign() / Location.reload() to match the latest specification: https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-) Firefox and Chrome already prevent this but Safari allows it. We should only allow cross origin access to Location.replace() and the Location.href setter.

Attachments
Patch (16.93 KB, patch) 2016-02-27 13:27 PST, Chris Dumez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2016-02-27 13:27:20 PST

Created attachment 272421 [details] Patch

WebKit Commit Bot

Comment 2 2016-02-27 16:50:22 PST

Comment on attachment 272421 [details] Patch Clearing flags on attachment: 272421 Committed r197263: <http://trac.webkit.org/changeset/197263>

WebKit Commit Bot

Comment 3 2016-02-27 16:50:26 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.