|Summary:||location.href does not throw SECURITY_ERR when accessed across origins|
|Product:||WebKit||Reporter:||Mihai Parparita <mihai>|
|Severity:||Normal||CC:||abarth, annevk, ap, bugs.webkit.org, dpranke, j, levin, mkwst, sam, tonyg|
|Priority:||P2||Keywords:||EasyFix, HasReduction, HTML5|
|Version:||528+ (Nightly build)|
|Bug Depends on:||43891, 43892|
Description Mihai Parparita 2010-08-04 12:51:38 PDT
The HTML5 spec is pretty clear about this: http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location For a test case, see the frames.location.href line of: http://persistent.info/webkit/test-cases/iframe-location-href.html?http://example.com It just shows that the return value is undefined, with no exception being thrown. Gecko and IE do throw the exception.
Comment 1 Mihai Parparita 2010-08-04 12:53:04 PDT
Comment 2 Mihai Parparita 2010-08-11 18:35:42 PDT
Since fixing the V8 bindings is significantly more complex than the JSC ones (see http://groups.google.com/group/v8-users/browse_thread/thread/e73680b6ca97a46d), I've split this bug into two (bug 43891 and bug 43892), since it'll be two pretty different patches.
Comment 3 David Levin 2012-03-22 16:25:23 PDT
*** Bug 81973 has been marked as a duplicate of this bug. ***
Comment 4 Mike West 2012-09-28 00:35:11 PDT
Mihai, I'm going to pick this up if you don't mind.
Comment 5 Mike West 2013-02-04 05:12:23 PST
Poking the webkit-dev bear again: https://lists.webkit.org/pipermail/webkit-dev/2013-February/023636.html
Comment 6 Anne van Kesteren 2017-03-30 00:04:49 PDT
Chris, I think you fixed this and some of the other bugs here too right? I can't reproduce comment 0 anymore in Safari TP anyway.
Comment 7 Chris Dumez 2017-03-30 08:52:39 PDT
*** This bug has been marked as a duplicate of bug 161368 ***