| Summary: | Worker URL resolution uses wrong scope | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Andrew Wilson <atwilson> |
| Component: | WebCore JavaScript | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | dbates |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | OS X 10.5 | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=226637 | ||
Section 4.8.2 of the Web Workers spec reads: >>> When the Worker(scriptURL) constructor is invoked, the user agent must run the following steps: Resolve the scriptURL argument relative to the first script's base URL, when the method is invoked. If this fails, throw a SYNTAX_ERR exception. If the origin of the resulting absolute URL is not the same as the origin of the script that invoked the constructor, then throw a security exception. <<< "first script's base URL" == the base URL of the dynamic global object "origin of the script that invoked the constructor" == "origin of the lexical global object" Currently we are using the lexical global object for both. The fail case is somewhat subtle (you end up having to grab constructors cross-frame, while changing your origin via document.domain.