Bug 189371 - document.open() should throw errors for cross-origin calls
Summary: document.open() should throw errors for cross-origin calls
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
Keywords: InRadar
Depends on: 190174
  Show dependency treegraph
Reported: 2018-09-06 14:21 PDT by Timothy Gu
Modified: 2018-10-01 16:25 PDT (History)
13 users (show)

See Also:

Patch (13.54 KB, patch)
2018-09-27 11:09 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff
Patch (13.48 KB, patch)
2018-09-27 11:44 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Timothy Gu 2018-09-06 14:21:26 PDT
https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#document-open-steps has:

> 3. Let entryDocument be the responsible document specified by the entry settings object.
> 4. If document's origin is not same origin to entryDocument's origin, then throw a "SecurityError" DOMException.

This also applies to implicit calls to document.open() by way of document.write().

- https://github.com/web-platform-tests/wpt/blob/master/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-exception-vs-return-origin.sub.window.js
- https://github.com/web-platform-tests/wpt/blob/master/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/origin-check-in-document-open-same-origin-domain.sub.html
Comment 2 Radar WebKit Bug Importer 2018-09-09 13:28:27 PDT
Comment 3 Chris Dumez 2018-09-27 11:09:46 PDT
Created attachment 350979 [details]
Comment 4 Chris Dumez 2018-09-27 11:44:00 PDT
Created attachment 350983 [details]
Comment 5 Chris Dumez 2018-09-28 09:04:00 PDT
ping review?
Comment 6 WebKit Commit Bot 2018-09-28 14:56:40 PDT
Comment on attachment 350983 [details]

Clearing flags on attachment: 350983

Committed r236613: <https://trac.webkit.org/changeset/236613>
Comment 7 WebKit Commit Bot 2018-09-28 14:56:42 PDT
All reviewed patches have been landed.  Closing bug.