Bug 161339 - We should throw a SecurityError when denying setting a cross-origin Window property
Summary: We should throw a SecurityError when denying setting a cross-origin Window pr...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: WebExposed
Depends on:
Blocks:
 
Reported: 2016-08-29 14:10 PDT by Chris Dumez
Modified: 2016-08-29 14:37 PDT (History)
6 users (show)

See Also:

Attachments
Patch (85.17 KB, patch)
2016-08-29 14:12 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2016-08-29 14:10:19 PDT 
We should throw a SecurityError when denying setting a cross-origin Window property:
- https://html.spec.whatwg.org/#crossoriginset-(-o,-p,-v,-receiver-)
- https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-)

e.g. crossOriginWindow.name = "" should throw.

Firefox and Chrome already throw but WebKit merely ignores the call and logs an error message.
Comment 1 Chris Dumez 2016-08-29 14:12:00 PDT 
Created attachment 287324 [details]
Patch
Comment 2 Geoffrey Garen 2016-08-29 14:16:19 PDT 
Comment on attachment 287324 [details]
Patch

r=me

I do not envy you the app compatibility bugs that will track back to this change.
Comment 3 Chris Dumez 2016-08-29 14:19:05 PDT 
(In reply to comment #2)
> Comment on attachment 287324 [details]
> Patch
> 
> r=me
> 
> I do not envy you the app compatibility bugs that will track back to this
> change.

Well, if it does not work out, we can always scale back the change. Given the behavior of other browsers, I think it is worth giving it a try.
Comment 4 WebKit Commit Bot 2016-08-29 14:37:10 PDT 
Comment on attachment 287324 [details]
Patch

Clearing flags on attachment: 287324

Committed r205148: <http://trac.webkit.org/changeset/205148>
Comment 5 WebKit Commit Bot 2016-08-29 14:37:15 PDT 
All reviewed patches have been landed.  Closing bug.