NEW106641
window.history shouldn't be exposed across origins 
https://bugs.webkit.org/show_bug.cgi?id=106641
Summary window.history shouldn't be exposed across origins
Adam Barth
Reported 2013-01-11 01:25:47 PST
window.history shouldn't be exposed across origins
Attachments
Example patch (10.65 KB, patch)
2013-01-11 01:37 PST, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2013-01-11 01:37:27 PST
Created attachment 182297 [details] Example patch
Adam Barth
Comment 2 2013-01-11 01:38:09 PST
There are likely some tests that need to change as well. We might also want to measure how often window.history is accessed across origins before making this change.
Eric Seidel (no email)
Comment 3 2013-01-11 01:38:52 PST
Comment on attachment 182297 [details] Example patch This is great! But we need a test.
Adam Barth
Comment 4 2013-01-11 01:40:03 PST
There are plenty of tests. I just haven't actually compiled this patch yet. :)
Brady Eidson
Comment 5 2013-01-11 10:16:17 PST
Is this in a spec?
Adam Barth
Comment 6 2013-01-11 10:44:39 PST
> Is this in a spec? This patch aligns our behavior more closely with the spec: http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-window There are still a number of differences in what's exposed across origins, which is what the whatwg thread was about. We'd like the implementation and the spec to converge, but it's not completely obvious to me which things should or shouldn't be exposed across origins. As a general rule, I think it makes sense to expose as little as possible while still remaining compatible with the web.
Eric Seidel (no email)
Comment 7 2013-04-28 15:34:50 PDT
Mozilla did some investigation of this: Results: https://bug839867.bugzilla.mozilla.org/attachment.cgi?id=712247 More info: https://bugzilla.mozilla.org/show_bug.cgi?id=839867 Suggesting we're the odd man out here.
Note You need to log in before you can comment on or make changes to this bug.