RESOLVED FIXED 189371
document.open() should throw errors for cross-origin calls 
https://bugs.webkit.org/show_bug.cgi?id=189371
Summary document.open() should throw errors for cross-origin calls
Timothy Gu
Reported 2018-09-06 14:21:26 PDT
https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#document-open-steps has: > 3. Let entryDocument be the responsible document specified by the entry settings object. > > 4. If document's origin is not same origin to entryDocument's origin, then throw a "SecurityError" DOMException. This also applies to implicit calls to document.open() by way of document.write(). Tests: - https://github.com/web-platform-tests/wpt/blob/master/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-exception-vs-return-origin.sub.window.js - https://github.com/web-platform-tests/wpt/blob/master/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/origin-check-in-document-open-same-origin-domain.sub.html
Attachments
Patch (13.54 KB, patch)
2018-09-27 11:09 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (13.48 KB, patch)
2018-09-27 11:44 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 2 2018-09-09 13:28:27 PDT
<rdar://problem/44282700>
Chris Dumez
Comment 3 2018-09-27 11:09:46 PDT
Created attachment 350979 [details] Patch
Chris Dumez
Comment 4 2018-09-27 11:44:00 PDT
Created attachment 350983 [details] Patch
Chris Dumez
Comment 5 2018-09-28 09:04:00 PDT
ping review?
WebKit Commit Bot
Comment 6 2018-09-28 14:56:40 PDT
Comment on attachment 350983 [details] Patch Clearing flags on attachment: 350983 Committed r236613: <https://trac.webkit.org/changeset/236613>
WebKit Commit Bot
Comment 7 2018-09-28 14:56:42 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.