Bug 43504 - location.href does not throw SECURITY_ERR when accessed across origins
: location.href does not throw SECURITY_ERR when accessed across origins
Status: ASSIGNED
: WebKit
WebCore JavaScript
: 528+ (Nightly build)
: All All
: P2 Normal
Assigned To:
:
: EasyFix, HasReduction, HTML5
: 43891 43892
: 98408
  Show dependency treegraph
 
Reported: 2010-08-04 12:51 PST by
Modified: 2013-02-04 05:12 PST (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2010-08-04 12:51:38 PST
The HTML5 spec is pretty clear about this:

http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location

For a test case, see the frames[0].location.href line of:

http://persistent.info/webkit/test-cases/iframe-location-href.html?http://example.com

It just shows that the return value is undefined, with no exception being thrown.

Gecko and IE do throw the exception.
------- Comment #1 From 2010-08-04 12:53:04 PST -------
Alexey, adding you to the cc list since you mentioned this in comment 5 of bug 17627. I couldn't find another bug filed for this issue, but perhaps you're aware of one.
------- Comment #2 From 2010-08-11 18:35:42 PST -------
Since fixing the V8 bindings is significantly more complex than the JSC ones (see http://groups.google.com/group/v8-users/browse_thread/thread/e73680b6ca97a46d), I've split this bug into two (bug 43891 and bug 43892), since it'll be two pretty different patches.
------- Comment #3 From 2012-03-22 16:25:23 PST -------
*** Bug 81973 has been marked as a duplicate of this bug. ***
------- Comment #4 From 2012-09-28 00:35:11 PST -------
Mihai, I'm going to pick this up if you don't mind.
------- Comment #5 From 2013-02-04 05:12:23 PST -------
Poking the webkit-dev bear again: https://lists.webkit.org/pipermail/webkit-dev/2013-February/023636.html