757939 - As a popup's opener is navigating from same- to cross-origin, reading window.location.href throws while window.history.back() still works

Status: RESOLVED INVALID

(Core :: DOM: Navigation, defect)

Description

[Justin Lebar (not reading bugmail)]

Of course, you can't read window.location.href cross-origin.

Similarly, history.back() has no effect on a cross-origin window.opener.  (Doesn't throw; just silently fails.)  This appears to be specific to window.opener -- I *can* call back() on a cross-origin popup I opened myself.

The testcase in bug 757376 does

 var i = setInterval('try{opener.location.href}catch(e){opener.history.back();clearInterval(i)}',10)

The fact that this does something indicates that opener.location.href stops working before opener.history.back() stops working.  Which is probably a bug.

I don't think fixing this is how we should fix bug 757376, but this behavior still seems wrong.

Comment 1

[Mariusz Mlynski]

(In reply to Justin Lebar [:jlebar] from comment #0)
> The fact that this does something indicates that opener.location.href stops
> working before opener.history.back() stops working.  Which is probably a bug.

Does opener.history.back() ever stop working? In step 3 of the manual testcase, I can call opener.history.back() long after opener.location.href is blocked by XOW. Does it matter for cross-origin access guards which window is the opener? I thought as long as a window had a reference to another one, it could call any properties exposed by IsPermitted, but I may be mistaken.

Comment 2

[Justin Lebar (not reading bugmail)]

Oh, I fail at using my confusing manual testcase.  You're totally right.

Sorry about that!