RESOLVED FIXED 169787
Allow setting the prototype of cross-origin objects, as long as they don't change 
https://bugs.webkit.org/show_bug.cgi?id=169787
Summary Allow setting the prototype of cross-origin objects, as long as they don't ch...
Domenic Denicola
Reported 2017-03-16 14:37:35 PDT
A recent spec tweak made WindowProxy and Location consistent with Object.prototype in the ECMAScript spec, in that you are allowed to set their prototype as long as you don't *change* it. Safari Tech Preview implements the spec perfectly before this tweak; sorry to change this from under you. The following web platform tests should cover the new behavior exhaustively: - WindowProxy - http://w3c-test.org/html/browsers/the-windowproxy-exotic-object/windowproxy-prototype-setting-cross-origin-domain.sub.html - http://w3c-test.org/html/browsers/the-windowproxy-exotic-object/windowproxy-prototype-setting-cross-origin.sub.html - http://w3c-test.org/html/browsers/the-windowproxy-exotic-object/windowproxy-prototype-setting-goes-cross-origin-domain.sub.html - http://w3c-test.org/html/browsers/the-windowproxy-exotic-object/windowproxy-prototype-setting-same-origin-domain.sub.html - http://w3c-test.org/html/browsers/the-windowproxy-exotic-object/windowproxy-prototype-setting-same-origin.html - Location - http://w3c-test.org/html/browsers/history/the-location-interface/location-prototype-setting-cross-origin-domain.sub.html - http://w3c-test.org/html/browsers/history/the-location-interface/location-prototype-setting-cross-origin.sub.html - http://w3c-test.org/html/browsers/history/the-location-interface/location-prototype-setting-goes-cross-origin-domain.sub.html - http://w3c-test.org/html/browsers/history/the-location-interface/location-prototype-setting-same-origin-domain.sub.html - http://w3c-test.org/html/browsers/history/the-location-interface/location-prototype-setting-same-origin.html
Attachments
WIP Patch (3.62 KB, patch)
2017-03-16 15:50 PDT, Chris Dumez 		buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews107 for mac-elcapitan-wk2 (1.24 MB, application/zip)
2017-03-16 16:37 PDT, Build Bot 		no flags
Details
WIP Patch (13.51 KB, patch)
2017-03-16 16:49 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews114 for mac-elcapitan (2.01 MB, application/zip)
2017-03-16 18:23 PDT, Build Bot 		no flags
Details
Patch (52.67 KB, patch)
2017-03-16 20:59 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (50.03 KB, patch)
2017-03-17 09:51 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews106 for mac-elcapitan-wk2 (851.50 KB, application/zip)
2017-03-17 11:03 PDT, Build Bot 		no flags
Details
Patch (59.66 KB, patch)
2017-03-17 20:05 PDT, Chris Dumez 		mark.lam: review+
DetailsFormatted DiffDiff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2017-03-16 15:50:39 PDT
Created attachment 304710 [details] WIP Patch
Build Bot
Comment 2 2017-03-16 16:29:00 PDT
Comment on attachment 304710 [details] WIP Patch Attachment 304710 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/3343789 New failing tests: jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/prototype-assignment.js.misc-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-ftl jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-llint
Build Bot
Comment 3 2017-03-16 16:37:18 PDT
Comment on attachment 304710 [details] WIP Patch Attachment 304710 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/3343804 New failing tests: http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html imported/w3c/web-platform-tests/html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html js/object-literal-shorthand-construction.html http/tests/security/cross-frame-access-object-setPrototypeOf.html js/dom/setPrototypeOf-location-window.html js/prototype-assignment.html fast/dom/Window/window-custom-prototype-crash.html
Build Bot
Comment 4 2017-03-16 16:37:23 PDT
Created attachment 304719 [details] Archive of layout-test-results from ews107 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Chris Dumez
Comment 5 2017-03-16 16:49:00 PDT
Created attachment 304721 [details] WIP Patch
Build Bot
Comment 6 2017-03-16 17:24:59 PDT
Comment on attachment 304721 [details] WIP Patch Attachment 304721 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/3344358 New failing tests: jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/prototype-assignment.js.misc-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-ftl jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-llint
Build Bot
Comment 7 2017-03-16 18:23:36 PDT
Comment on attachment 304721 [details] WIP Patch Attachment 304721 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3344622 New failing tests: http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects.html js/object-literal-shorthand-construction.html http/tests/security/cross-frame-access-object-setPrototypeOf.html js/dom/setPrototypeOf-location-window.html js/prototype-assignment.html fast/dom/Window/window-custom-prototype-crash.html
Build Bot
Comment 8 2017-03-16 18:23:40 PDT
Created attachment 304734 [details] Archive of layout-test-results from ews114 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews114 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Chris Dumez
Comment 9 2017-03-16 20:59:24 PDT
Created attachment 304748 [details] Patch
Build Bot
Comment 10 2017-03-16 21:44:50 PDT
Comment on attachment 304748 [details] Patch Attachment 304748 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/3346337 New failing tests: jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/prototype-assignment.js.misc-ftl-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-ftl jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-dfg-eager-no-cjit jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-llint
Chris Dumez
Comment 11 2017-03-16 22:04:54 PDT
Comment on attachment 304748 [details] Patch Will look into the JSC test failures tomorrow.
Chris Dumez
Comment 12 2017-03-17 09:51:07 PDT
Created attachment 304789 [details] Patch
Chris Dumez
Comment 13 2017-03-17 10:50:12 PDT
Comment on attachment 304789 [details] Patch All green, ready for review.
Build Bot
Comment 14 2017-03-17 11:03:53 PDT
Comment on attachment 304789 [details] Patch Attachment 304789 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/3350533 New failing tests: webrtc/peer-connection-audio-mute2.html
Build Bot
Comment 15 2017-03-17 11:03:58 PDT
Created attachment 304796 [details] Archive of layout-test-results from ews106 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Chris Dumez
Comment 16 2017-03-17 11:11:27 PDT
Comment on attachment 304789 [details] Patch Flake!
Mark Lam
Comment 17 2017-03-17 15:07:27 PDT
Comment on attachment 304789 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=304789&action=review > Source/WebCore/page/DOMWindow.idl:40 > - IsImmutablePrototypeExoticObject, > IsImmutablePrototypeExoticObjectOnPrototype, If IsImmutablePrototypeExoticObject has no effect on the Window, does it have any effect elsewhere? Or should it be removed completely everywhere? If it has effect elsewhere, I'd be curious to know why it's different here. Secondly, is IsImmutablePrototypeExoticObjectOnPrototype needed still?
Chris Dumez
Comment 18 2017-03-17 15:11:43 PDT
Comment on attachment 304789 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=304789&action=review >> Source/WebCore/page/DOMWindow.idl:40 >> IsImmutablePrototypeExoticObjectOnPrototype, > > If IsImmutablePrototypeExoticObject has no effect on the Window, does it have any effect elsewhere? Or should it be removed completely everywhere? If it has effect elsewhere, I'd be curious to know why it's different here. > > Secondly, is IsImmutablePrototypeExoticObjectOnPrototype needed still? As I explained in the Changelog, the reason it has no effect on Window is because Window has a proxy and its proxy already takes care of throwing when setting the prototype (see JSProxy::setPrototypeOf()).
Chris Dumez
Comment 19 2017-03-17 16:24:37 PDT
Comment on attachment 304789 [details] Patch Trying something else based on Mark's offline feedback.
Chris Dumez
Comment 20 2017-03-17 20:05:02 PDT
Created attachment 304851 [details] Patch
Mark Lam
Comment 21 2017-03-18 08:57:49 PDT
Comment on attachment 304851 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=304851&action=review Nice. r=me > Source/JavaScriptCore/ChangeLog:17 > + In particular, we need to call [[GetPrototypeOf]] and return true it returns the same typo: /true it/true if it/. > Source/JavaScriptCore/ChangeLog:26 > + Handling in immutable prototype exotic objects in that method does the right thing for typo: /Handing in immutable/Handling immutable/.
Chris Dumez
Comment 22 2017-03-18 10:52:08 PDT
Committed r214135: <http://trac.webkit.org/changeset/214135>
Note You need to log in before you can comment on or make changes to this bug.