627891 - |function location() { }| in global code violates integrity of window.location, confusing plugins that need to determine embedding location

Status: RESOLVED DUPLICATE of bug 622199

(Core Graveyard :: Plug-ins, defect)

Description

[Jeff Walden [:Waldo]]

function location() { } in global code overwrites window.location.  Since plugins currently query that to get the location of the page that embedded them (stupid, I know), this makes it possible to confuse a plugin into giving up information it might have saved for other origins.  bz claimed to me when I last discussed this with him that this bug was filed, but my searching didn't find it, so I'm filing it anew.

Bug 577325 will fix this on trunk by updating the function statement algorithm.  Should that fix conceivably be backported, after it's landed and baked?

Comment 1

[Jeff Walden [:Waldo]]

(I haven't marked a dependency because that fix might not be right for branches and because I don't want to clue anyone watching into it also fixing a security bug.  Paranoia?  Sure, but better that than a zero-day from someone who can put the pieces together.)

Comment 2

[Boris Zbarsky [:bzbarsky]]

Uh... location is a replaceable property.  That means that |function location| or |var location| at window scope are supposed to get rid of the old property and define a new one, not call the location setter.  That's a must for web compat.

Which does mean that the plug-in window.location crap is just broken.  It's broken.  That's just the way it is; the only way to unbreak it is to break websites.  We should stop pretending it's not broken, expose an API for plug-ins to get the origin of the document, and be done with it.  We have bugs on that already, no?