Closed
Bug 839867
Opened 12 years ago
Closed 12 years ago
Align Gecko and the spec on cross-origin access to location.hash
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla21
People
(Reporter: bugzilla, Assigned: bholley)
Details
Attachments
(3 files)
After seeing bug 801576 I have made some tests of what JavaScript properties different browsers make available cross origin. I have found that Firefox is the only browser that makes the setter for Location.hash available cross origin.
Firefox cross origin access is defined by IsPermitted in http://hg.mozilla.org/mozilla-central/file/tip/js/xpconnect/wrappers/AccessCheck.cpp#l136
Chrome cross origin access is defined by enum AccessControl in http://code.google.com/p/v8/source/browse/trunk/include/v8.h#1534
I have attached a page which tests access to all the properties allowed by Firefox and Chrome as well as some other properties, and a table which shows the results for Firefox, Chrome, IE9 and Opera. Chrome is a little difficult to test since it returns undefined instead of throwing an exception when access is denied. I have only tested ability to read and write the properties, so I don't know what happens if you try to use the returned values.
I don't have a Mac to test Safari, and I have troubles downloading IE10 from Microsoft's website, so I haven't tested in those.
The cells in the results table that say "no" but are still colored yellow means that I only determined this by reading the source code, but I were not able to test it.
|
Reporter | |
Comment 1•12 years ago
|
||
|
Assignee | |
Comment 2•12 years ago
|
||
Jesper, this is incredible work. Thanks.
The data indicates that Gecko is the only UA that allows cross-origin sets of Location.hash. I know people used to use this as a hacky cross-domain messaging system before window.postMessage, and would have thought that there would still be legacy use cases out there. But given that the rest of the web seems to have turned this off, I think we should too, unless there's more background here I'm not aware of.
I'll attach a patch and push it to try.
|
|
Assignee | |
Comment 3•12 years ago
|
||
Assignee: nobody → bobbyholley+bmo
|
|
Assignee | |
Comment 4•12 years ago
|
||
Green except for one test that was relying on cross-origin Location.hash to do something along the lines of what was described in comment 2. I fixed that test, and pushed for another mochitest-1 run to make sure there were no other failures.
|
|
Assignee | |
Comment 5•12 years ago
|
||
|
|
Assignee | |
Comment 6•12 years ago
|
||
We update the tests to cover this case. There was also a bug in the tests where
we were accidentally testing non-writable Location properties against window
rather than window.location. :-(
Attachment #712275 -
Flags: review?(bzbarsky)
|
||
Comment 7•12 years ago
|
||
Comment on attachment 712275 [details] [diff] [review]
Align gecko with the spec on cross-origin access to Location.hash. v1
r=me
Attachment #712275 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 8•12 years ago
|
||
|
||
Comment 9•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
You need to log in
before you can comment on or make changes to this bug.
Description
•