Bug 161396

Summary: Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: bzbarsky, cdumez, commit-queue, darin, ggaren, keith_miller, mark.lam, msaboff, rniwa, sam, sbarati
Priority: P2 Keywords: WebExposed
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=161393
https://bugs.webkit.org/show_bug.cgi?id=161455
Attachments:
Description Flags
Patch
none
Patch rniwa: review+

Description Chris Dumez 2016-08-30 12:44:22 PDT
Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
- https://html.spec.whatwg.org/#windowproxy-setprototypeof
- https://html.spec.whatwg.org/#location-setprototypeof
- http://www.ecma-international.org/ecma-262/6.0/#sec-object.setprototypeof (step 7)

Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
Comment 1 Chris Dumez 2016-08-30 12:47:21 PDT
Created attachment 287421 [details]
Patch
Comment 2 Chris Dumez 2016-08-30 12:51:13 PDT
Created attachment 287423 [details]
Patch
Comment 3 Boris Zbarsky 2016-08-30 13:08:43 PDT
Object.setPrototypeOf should throw on a same-origin Window too (but not on same-origin Location).
Comment 4 Chris Dumez 2016-08-30 13:20:26 PDT
(In reply to comment #3)
> Object.setPrototypeOf should throw on a same-origin Window too (but not on
> same-origin Location).

As mentioned in the ChangeLog, I intentionally did not change the same-origin case in this patch. I'll consider making this change in a follow-up.

Also, could you clarify why it would throw for same-origin Location? The specification for Location and Window seems identical:
- https://html.spec.whatwg.org/#windowproxy-setprototypeof
- https://html.spec.whatwg.org/#location-setprototypeof
Comment 5 Boris Zbarsky 2016-08-30 14:31:10 PDT
> I'll consider making this change in a follow-up.

Ah, ok.

> Also, could you clarify why it would throw for same-origin Location? 

I assume that's missing a negative somewhere...

I was wrong.  It looks like the spec says to throw for Object.setPrototypeOf on a same-origin location (and at least Gecko does in fact do that).
Comment 6 Ryosuke Niwa 2016-08-30 15:48:09 PDT
Comment on attachment 287423 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=287423&action=review

> Source/JavaScriptCore/runtime/ObjectConstructor.cpp:233
> +        throwTypeError(exec, ASCIILiteral("permission denied"));

Capitalize p?
Comment 7 Chris Dumez 2016-08-30 15:51:39 PDT
Committed r205205: <http://trac.webkit.org/changeset/205205>