Bug 169787 - Allow setting the prototype of cross-origin objects, as long as they don't change
Summary: Allow setting the prototype of cross-origin objects, as long as they don't ch...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Bindings (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL: https://html.spec.whatwg.org/#windowp...
Keywords: WebExposed
Depends on:
Blocks:
 
Reported: 2017-03-16 14:37 PDT by Domenic Denicola
Modified: 2017-03-18 10:52 PDT (History)
10 users (show)

See Also:

Attachments
WIP Patch (3.62 KB, patch)
2017-03-16 15:50 PDT, Chris Dumez 		buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews107 for mac-elcapitan-wk2 (1.24 MB, application/zip)
2017-03-16 16:37 PDT, Build Bot 		no flags Details
WIP Patch (13.51 KB, patch)
2017-03-16 16:49 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews114 for mac-elcapitan (2.01 MB, application/zip)
2017-03-16 18:23 PDT, Build Bot 		no flags Details
Patch (52.67 KB, patch)
2017-03-16 20:59 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (50.03 KB, patch)
2017-03-17 09:51 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews106 for mac-elcapitan-wk2 (851.50 KB, application/zip)
2017-03-17 11:03 PDT, Build Bot 		no flags Details
Patch (59.66 KB, patch)
2017-03-17 20:05 PDT, Chris Dumez 		mark.lam: review+
Details | Formatted Diff | Diff
Show Obsolete (7) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Domenic Denicola 2017-03-16 14:37:35 PDT 
A recent spec tweak made WindowProxy and Location consistent with Object.prototype in the ECMAScript spec, in that you are allowed to set their prototype as long as you don't *change* it. Safari Tech Preview implements the spec perfectly before this tweak; sorry to change this from under you.

The following web platform tests should cover the new behavior exhaustively:

- WindowProxy
  - http://w3c-test.org/html/browsers/the-windowproxy-exotic-object/windowproxy-prototype-setting-cross-origin-domain.sub.html
  - http://w3c-test.org/html/browsers/the-windowproxy-exotic-object/windowproxy-prototype-setting-cross-origin.sub.html
  - http://w3c-test.org/html/browsers/the-windowproxy-exotic-object/windowproxy-prototype-setting-goes-cross-origin-domain.sub.html
  - http://w3c-test.org/html/browsers/the-windowproxy-exotic-object/windowproxy-prototype-setting-same-origin-domain.sub.html
  - http://w3c-test.org/html/browsers/the-windowproxy-exotic-object/windowproxy-prototype-setting-same-origin.html
- Location
  - http://w3c-test.org/html/browsers/history/the-location-interface/location-prototype-setting-cross-origin-domain.sub.html
  - http://w3c-test.org/html/browsers/history/the-location-interface/location-prototype-setting-cross-origin.sub.html
  - http://w3c-test.org/html/browsers/history/the-location-interface/location-prototype-setting-goes-cross-origin-domain.sub.html
  - http://w3c-test.org/html/browsers/history/the-location-interface/location-prototype-setting-same-origin-domain.sub.html
  - http://w3c-test.org/html/browsers/history/the-location-interface/location-prototype-setting-same-origin.html
Comment 1 Chris Dumez 2017-03-16 15:50:39 PDT 
Created attachment 304710 [details]
WIP Patch
Comment 2 Build Bot 2017-03-16 16:29:00 PDT 
Comment on attachment 304710 [details]
WIP Patch

Attachment 304710 [details] did not pass jsc-ews (mac):
Output: http://webkit-queues.webkit.org/results/3343789

New failing tests:
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/prototype-assignment.js.misc-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-ftl
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-eager-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-dfg-eager-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-llint
Comment 3 Build Bot 2017-03-16 16:37:18 PDT 
Comment on attachment 304710 [details]
WIP Patch

Attachment 304710 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3343804

New failing tests:
http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html
imported/w3c/web-platform-tests/html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
js/object-literal-shorthand-construction.html
http/tests/security/cross-frame-access-object-setPrototypeOf.html
js/dom/setPrototypeOf-location-window.html
js/prototype-assignment.html
fast/dom/Window/window-custom-prototype-crash.html
Comment 4 Build Bot 2017-03-16 16:37:23 PDT 
Created attachment 304719 [details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 5 Chris Dumez 2017-03-16 16:49:00 PDT 
Created attachment 304721 [details]
WIP Patch
Comment 6 Build Bot 2017-03-16 17:24:59 PDT 
Comment on attachment 304721 [details]
WIP Patch

Attachment 304721 [details] did not pass jsc-ews (mac):
Output: http://webkit-queues.webkit.org/results/3344358

New failing tests:
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/prototype-assignment.js.misc-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-ftl
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-eager-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-dfg-eager-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-llint
Comment 7 Build Bot 2017-03-16 18:23:36 PDT 
Comment on attachment 304721 [details]
WIP Patch

Attachment 304721 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/3344622

New failing tests:
http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html
imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects.html
js/object-literal-shorthand-construction.html
http/tests/security/cross-frame-access-object-setPrototypeOf.html
js/dom/setPrototypeOf-location-window.html
js/prototype-assignment.html
fast/dom/Window/window-custom-prototype-crash.html
Comment 8 Build Bot 2017-03-16 18:23:40 PDT 
Created attachment 304734 [details]
Archive of layout-test-results from ews114 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews114  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 9 Chris Dumez 2017-03-16 20:59:24 PDT 
Created attachment 304748 [details]
Patch
Comment 10 Build Bot 2017-03-16 21:44:50 PDT 
Comment on attachment 304748 [details]
Patch

Attachment 304748 [details] did not pass jsc-ews (mac):
Output: http://webkit-queues.webkit.org/results/3346337

New failing tests:
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/prototype-assignment.js.misc-ftl-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-ftl
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-ftl-eager-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-dfg-eager-no-cjit
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout
jsc-layout-tests.yaml/js/script-tests/object-literal-shorthand-construction.js.layout-no-llint
Comment 11 Chris Dumez 2017-03-16 22:04:54 PDT 
Comment on attachment 304748 [details]
Patch

Will look into the JSC test failures tomorrow.
Comment 12 Chris Dumez 2017-03-17 09:51:07 PDT 
Created attachment 304789 [details]
Patch
Comment 13 Chris Dumez 2017-03-17 10:50:12 PDT 
Comment on attachment 304789 [details]
Patch

All green, ready for review.
Comment 14 Build Bot 2017-03-17 11:03:53 PDT 
Comment on attachment 304789 [details]
Patch

Attachment 304789 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3350533

New failing tests:
webrtc/peer-connection-audio-mute2.html
Comment 15 Build Bot 2017-03-17 11:03:58 PDT 
Created attachment 304796 [details]
Archive of layout-test-results from ews106 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 16 Chris Dumez 2017-03-17 11:11:27 PDT 
Comment on attachment 304789 [details]
Patch

Flake!
Comment 17 Mark Lam 2017-03-17 15:07:27 PDT 
Comment on attachment 304789 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=304789&action=review

> Source/WebCore/page/DOMWindow.idl:40
> -    IsImmutablePrototypeExoticObject,
>      IsImmutablePrototypeExoticObjectOnPrototype,

If IsImmutablePrototypeExoticObject has no effect on the Window, does it have any effect elsewhere?  Or should it be removed completely everywhere?  If it has effect elsewhere, I'd be curious to know why it's different here.

Secondly, is IsImmutablePrototypeExoticObjectOnPrototype needed still?
Comment 18 Chris Dumez 2017-03-17 15:11:43 PDT 
Comment on attachment 304789 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=304789&action=review

>> Source/WebCore/page/DOMWindow.idl:40
>>      IsImmutablePrototypeExoticObjectOnPrototype,
> 
> If IsImmutablePrototypeExoticObject has no effect on the Window, does it have any effect elsewhere?  Or should it be removed completely everywhere?  If it has effect elsewhere, I'd be curious to know why it's different here.
> 
> Secondly, is IsImmutablePrototypeExoticObjectOnPrototype needed still?

As I explained in the Changelog, the reason it has no effect on Window is because Window has a proxy and its proxy already takes care of throwing when setting the prototype (see JSProxy::setPrototypeOf()).
Comment 19 Chris Dumez 2017-03-17 16:24:37 PDT 
Comment on attachment 304789 [details]
Patch

Trying something else based on Mark's offline feedback.
Comment 20 Chris Dumez 2017-03-17 20:05:02 PDT 
Created attachment 304851 [details]
Patch
Comment 21 Mark Lam 2017-03-18 08:57:49 PDT 
Comment on attachment 304851 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=304851&action=review

Nice.  r=me

> Source/JavaScriptCore/ChangeLog:17
> +        In particular, we need to call [[GetPrototypeOf]] and return true it returns the same

typo: /true it/true if it/.

> Source/JavaScriptCore/ChangeLog:26
> +        Handling in immutable prototype exotic objects in that method does the right thing for

typo: /Handing in immutable/Handling immutable/.
Comment 22 Chris Dumez 2017-03-18 10:52:08 PDT 
Committed r214135: <http://trac.webkit.org/changeset/214135>