Last Comment Bug 839867 - Align Gecko and the spec on cross-origin access to location.hash
: Align Gecko and the spec on cross-origin access to location.hash
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: unspecified
: All All
: -- normal (vote)
: mozilla21
Assigned To: Bobby Holley (:bholley) (busy with Stylo)
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-10 03:41 PST by Jesper Kristensen
Modified: 2013-02-11 11:17 PST (History)
7 users (show)
ryanvm: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Test results (6.80 KB, text/html)
2013-02-10 03:41 PST, Jesper Kristensen
no flags Details
Test page (2.76 KB, text/html)
2013-02-10 03:42 PST, Jesper Kristensen
no flags Details
Align gecko with the spec on cross-origin access to Location.hash. v1 (3.66 KB, patch)
2013-02-10 11:06 PST, Bobby Holley (:bholley) (busy with Stylo)
bzbarsky: review+
Details | Diff | Splinter Review

Description Jesper Kristensen 2013-02-10 03:41:46 PST
Created attachment 712247 [details]
Test results

After seeing bug 801576 I have made some tests of what JavaScript properties different browsers make available cross origin. I have found that Firefox is the only browser that makes the setter for Location.hash available cross origin.

Firefox cross origin access is defined by IsPermitted in http://hg.mozilla.org/mozilla-central/file/tip/js/xpconnect/wrappers/AccessCheck.cpp#l136

Chrome cross origin access is defined by enum AccessControl in http://code.google.com/p/v8/source/browse/trunk/include/v8.h#1534

I have attached a page which tests access to all the properties allowed by Firefox and Chrome as well as some other properties, and a table which shows the results for Firefox, Chrome, IE9 and Opera. Chrome is a little difficult to test since it returns undefined instead of throwing an exception when access is denied. I have only tested ability to read and write the properties, so I don't know what happens if you try to use the returned values.

I don't have a Mac to test Safari, and I have troubles downloading IE10 from Microsoft's website, so I haven't tested in those.

The cells in the results table that say "no" but are still colored yellow means that I only determined this by reading the source code, but I were not able to test it.
Comment 1 Jesper Kristensen 2013-02-10 03:42:54 PST
Created attachment 712248 [details]
Test page
Comment 2 Bobby Holley (:bholley) (busy with Stylo) 2013-02-10 06:04:02 PST
Jesper, this is incredible work. Thanks.

The data indicates that Gecko is the only UA that allows cross-origin sets of Location.hash. I know people used to use this as a hacky cross-domain messaging system before window.postMessage, and would have thought that there would still be legacy use cases out there. But given that the rest of the web seems to have turned this off, I think we should too, unless there's more background here I'm not aware of.

I'll attach a patch and push it to try.
Comment 3 Bobby Holley (:bholley) (busy with Stylo) 2013-02-10 08:36:21 PST
https://tbpl.mozilla.org/?tree=Try&rev=77f7b9aaffdc
Comment 4 Bobby Holley (:bholley) (busy with Stylo) 2013-02-10 11:06:07 PST
Green except for one test that was relying on cross-origin Location.hash to do something along the lines of what was described in comment 2. I fixed that test, and pushed for another mochitest-1 run to make sure there were no other failures.
Comment 5 Bobby Holley (:bholley) (busy with Stylo) 2013-02-10 11:06:14 PST
https://tbpl.mozilla.org/?tree=Try&rev=59e61d3dfb29
Comment 6 Bobby Holley (:bholley) (busy with Stylo) 2013-02-10 11:06:33 PST
Created attachment 712275 [details] [diff] [review]
Align gecko with the spec on cross-origin access to Location.hash. v1

We update the tests to cover this case. There was also a bug in the tests where
we were accidentally testing non-writable Location properties against window
rather than window.location. :-(
Comment 7 Boris Zbarsky [:bz] (still a bit busy) 2013-02-10 11:22:29 PST
Comment on attachment 712275 [details] [diff] [review]
Align gecko with the spec on cross-origin access to Location.hash. v1

r=me
Comment 8 Bobby Holley (:bholley) (busy with Stylo) 2013-02-10 15:06:03 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/1c2e7ae47afc
Comment 9 Ryan VanderMeulen [:RyanVM] 2013-02-11 11:17:09 PST
https://hg.mozilla.org/mozilla-central/rev/1c2e7ae47afc

Note You need to log in before you can comment on or make changes to this bug.