Jesper, this is incredible work. Thanks. The data indicates that Gecko is the only UA that allows cross-origin sets of Location.hash. I know people used to use this as a hacky cross-domain messaging system before window.postMessage, and would have thought that there would still be legacy use cases out there. But given that the rest of the web seems to have turned this off, I think we should too, unless there's more background here I'm not aware of. I'll attach a patch and push it to try.
Green except for one test that was relying on cross-origin Location.hash to do something along the lines of what was described in comment 2. I fixed that test, and pushed for another mochitest-1 run to make sure there were no other failures.
Created attachment 712275 [details] [diff] [review] Align gecko with the spec on cross-origin access to Location.hash. v1 We update the tests to cover this case. There was also a bug in the tests where we were accidentally testing non-writable Location properties against window rather than window.location. :-(
Comment on attachment 712275 [details] [diff] [review] Align gecko with the spec on cross-origin access to Location.hash. v1 r=me