Bug 154779 - Prevent cross-origin access to Location.assign() / Location.reload()
Summary: Prevent cross-origin access to Location.assign() / Location.reload()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL: https://html.spec.whatwg.org/multipag...
Keywords: WebExposed
Depends on:
Blocks:
 
Reported: 2016-02-27 12:47 PST by Chris Dumez
Modified: 2016-02-27 16:50 PST (History)
3 users (show)

See Also:


Attachments
Patch (16.93 KB, patch)
2016-02-27 13:27 PST, Chris Dumez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2016-02-27 12:47:54 PST
Prevent cross-origin access to Location.assign() / Location.reload() to match the latest specification:
https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-)

Firefox and Chrome already prevent this but Safari allows it.

We should only allow cross origin access to Location.replace() and the Location.href setter.
Comment 1 Chris Dumez 2016-02-27 13:27:20 PST
Created attachment 272421 [details]
Patch
Comment 2 WebKit Commit Bot 2016-02-27 16:50:22 PST
Comment on attachment 272421 [details]
Patch

Clearing flags on attachment: 272421

Committed r197263: <http://trac.webkit.org/changeset/197263>
Comment 3 WebKit Commit Bot 2016-02-27 16:50:26 PST
All reviewed patches have been landed.  Closing bug.