Bug 43504 - location.href does not throw SECURITY_ERR when accessed across origins
: location.href does not throw SECURITY_ERR when accessed across origins
Status: ASSIGNED
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript
: 528+ (Nightly build)
: All All
: P2 Normal
Assigned To: Mike West
: EasyFix, HasReduction, HTML5
Depends on: 43891 43892
Blocks: 98408
  Show dependency treegraph
 
Reported: 2010-08-04 12:51 PDT by Mihai Parparita
Modified: 2013-02-04 05:12 PST (History)
9 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mihai Parparita 2010-08-04 12:51:38 PDT
The HTML5 spec is pretty clear about this:

http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location

For a test case, see the frames[0].location.href line of:

http://persistent.info/webkit/test-cases/iframe-location-href.html?http://example.com

It just shows that the return value is undefined, with no exception being thrown.

Gecko and IE do throw the exception.
Comment 1 Mihai Parparita 2010-08-04 12:53:04 PDT
Alexey, adding you to the cc list since you mentioned this in comment 5 of bug 17627. I couldn't find another bug filed for this issue, but perhaps you're aware of one.
Comment 2 Mihai Parparita 2010-08-11 18:35:42 PDT
Since fixing the V8 bindings is significantly more complex than the JSC ones (see http://groups.google.com/group/v8-users/browse_thread/thread/e73680b6ca97a46d), I've split this bug into two (bug 43891 and bug 43892), since it'll be two pretty different patches.
Comment 3 David Levin 2012-03-22 16:25:23 PDT
*** Bug 81973 has been marked as a duplicate of this bug. ***
Comment 4 Mike West 2012-09-28 00:35:11 PDT
Mihai, I'm going to pick this up if you don't mind.
Comment 5 Mike West 2013-02-04 05:12:23 PST
Poking the webkit-dev bear again: https://lists.webkit.org/pipermail/webkit-dev/2013-February/023636.html