654137 - window.top should not be replaceable

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Danny Althoff]

User-Agent:       Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

The attribute "top" from the window-object can be changed to anything i want.

The W3C states that this attribute has to be read-only:
http://www.w3.org/TR/Window/#window-embedding

tested locally and with own webserver ... but should be the same on other systems

Reproducible: Always

Steps to Reproduce:
1. make a page that opens another page via window.open
2. try to change window.open to "hello world" or anything else

Actual Results:  
window.top can be changed to anything i want to (strings, objects, null,...)

Expected Results:  
window.top avoids to be changed by javascript

Tested locally (file:///....) and via own webserver (to wipe out other restrictions)

Tested with current Firefox 4 (4.0.1) in german localization

Comment 1

[Danny Althoff]

Attachment: my example-files

If my server is not up, here my testfiles

Comment 2

[Boris Zbarsky [:bzbarsky]]

It's readonly, but replaceable in Gecko (see section B of the link you cite).

What do other browsers do here?

Comment 3

[Boris Zbarsky [:bzbarsky]]

Looks like it's not replaceable in Safari, Chrome, Opera.

jst, how do you feel about changing that in Gecko?

Comment 4

[Danny Althoff]

(In reply to comment #3)
> Looks like it's not replaceable in Safari, Chrome, Opera.

I think this is a small flaw of implementation of that spec in gecko. It has its reason why it should not be replaceable ... could be misused in some ways i guess (opening pages in hidden iframes without having affected to be replaced from that iframes by setting the top-attribute to null or anything else than the real top).

i dont have made up a lot of thoughts, just hat do give it a try when it came into my mind ;)

Comment 5

[Boris Zbarsky [:bzbarsky]]

Well, the reason to have properties replaceable is so that this sort of script could work:

  top = document.body.offsetTop;
  top += 5;
  myDiv.style.top = top + "px";

Note that this script will fail in non-Gecko browsers right now, whereas if the first line started with |var| then it will work in all browsers.

Comment 6

[Danny Althoff]

(In reply to comment #5)
> Well, the reason to have properties replaceable is so that this sort of script
> could work:
> 
>   top = document.body.offsetTop;
>   top += 5;
>   myDiv.style.top = top + "px";
> 
> Note that this script will fail in non-Gecko browsers right now, whereas if the
> first line started with |var| then it will work in all browsers.

good example, but due to "all" other browsers are handling "top" as non-replaceable i think gecko is just handling it wrong in replacing special properties. i personally think its bad-practice to use keywords as variable-names, especially without explicit using "var" (got in a lot of trouble already by using other persons code). currently im starting to think if it is possible to change other properties like document or something like that ...

Comment 7

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

Attachment: Patch v1

Expectedly, this caused a test failure. Unexpectedly, it caused only one.

Comment 8

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 530938 [details] [diff] [review]
Patch v1

r=me

Comment 9

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

Thanks!

http://hg.mozilla.org/mozilla-central/rev/d75f13dbf81f

Comment 10

[Nickolay_Ponomarev]

Should be probably mentioned on https://developer.mozilla.org/en/window.top

Comment 11

[Eric Shepherd [:sheppy]]

Documentation updated:

https://developer.mozilla.org/en/DOM/window.top

Mentioned on Firefox 6 for developers.