RESOLVED FIXED 167920
Symbols exposed on cross-origin Window / Location objects should be configurable 
https://bugs.webkit.org/show_bug.cgi?id=167920
Summary Symbols exposed on cross-origin Window / Location objects should be configurable
Chris Dumez
Reported 2017-02-06 19:55:13 PST
Symbols exposed on cross-origin Window / Location objects should be configurable: - https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-) (Step 1) Firefox behaves as per specification.
Attachments
Patch (5.25 KB, patch)
2017-02-06 19:57 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (5.50 KB, patch)
2017-02-06 20:46 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2017-02-06 19:57:51 PST
Created attachment 300779 [details] Patch
Chris Dumez
Comment 2 2017-02-06 20:03:08 PST
With this bug and Bug 167917 fixed, 100% pass rate on: - http://w3c-test.org/html/browsers/origin/cross-origin-objects/cross-origin-objects.html
Ryosuke Niwa
Comment 3 2017-02-06 20:12:35 PST
Comment on attachment 300779 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=300779&action=review > Source/WebCore/bindings/js/JSDOMWindowCustom.cpp:100 > if (propertyName == exec->propertyNames().toStringTagSymbol || propertyName == exec->propertyNames().hasInstanceSymbol || propertyName == exec->propertyNames().isConcatSpreadableSymbol) { Are these only symbols that could ever exist on the window object? It seems a bit fragile to have a hard-coded list here.
Chris Dumez
Comment 4 2017-02-06 20:27:53 PST
(In reply to comment #3) > Comment on attachment 300779 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=300779&action=review > > > Source/WebCore/bindings/js/JSDOMWindowCustom.cpp:100 > > if (propertyName == exec->propertyNames().toStringTagSymbol || propertyName == exec->propertyNames().hasInstanceSymbol || propertyName == exec->propertyNames().isConcatSpreadableSymbol) { > > Are these only symbols that could ever exist on the window object? > It seems a bit fragile to have a hard-coded list here. These are the only ones that we expose on Window / Location objects that are *cross-origin*. They are listed in the spec here: https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-) (Step 1).
Chris Dumez
Comment 5 2017-02-06 20:31:06 PST
(In reply to comment #4) > (In reply to comment #3) > > Comment on attachment 300779 [details] > > Patch > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=300779&action=review > > > > > Source/WebCore/bindings/js/JSDOMWindowCustom.cpp:100 > > > if (propertyName == exec->propertyNames().toStringTagSymbol || propertyName == exec->propertyNames().hasInstanceSymbol || propertyName == exec->propertyNames().isConcatSpreadableSymbol) { > > > > Are these only symbols that could ever exist on the window object? > > It seems a bit fragile to have a hard-coded list here. > > These are the only ones that we expose on Window / Location objects that are > *cross-origin*. They are listed in the spec here: > https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-) (Step > 1). This is how the HTML specification and our code operates for cross-origin Window / Location objects, we explicitly whitelist things we want to expose. The list of properties exposed cross-origin on these objects is also hard-coded.
Ryosuke Niwa
Comment 6 2017-02-06 20:33:19 PST
Comment on attachment 300779 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=300779&action=review >>>> Source/WebCore/bindings/js/JSDOMWindowCustom.cpp:100 >>>> if (propertyName == exec->propertyNames().toStringTagSymbol || propertyName == exec->propertyNames().hasInstanceSymbol || propertyName == exec->propertyNames().isConcatSpreadableSymbol) { >>> >>> Are these only symbols that could ever exist on the window object? >>> It seems a bit fragile to have a hard-coded list here. >> >> These are the only ones that we expose on Window / Location objects that are *cross-origin*. They are listed in the spec here: >> https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-) (Step 1). > > This is how the HTML specification and our code operates for cross-origin Window / Location objects, we explicitly whitelist things we want to expose. The list of properties exposed cross-origin on these objects is also hard-coded. We should probably add that URL as a comment. > Source/WebCore/bindings/js/JSLocationCustom.cpp:-57 > if (propertyName == state->propertyNames().toStringTagSymbol || propertyName == state->propertyNames().hasInstanceSymbol || propertyName == state->propertyNames().isConcatSpreadableSymbol) { > - slot.setUndefined(); Ditto here. Also, perhaps we should extract this check into a helper function so that there's a single list instead of being duplicated in two places.
Chris Dumez
Comment 7 2017-02-06 20:46:55 PST
Created attachment 300785 [details] Patch
Chris Dumez
Comment 8 2017-02-06 20:48:45 PST
Comment on attachment 300785 [details] Patch Clearing flags on attachment: 300785 Committed r211772: <http://trac.webkit.org/changeset/211772>
Chris Dumez
Comment 9 2017-02-06 20:48:51 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.