Closed Bug 839867 Opened 7 years ago Closed 7 years ago

Align Gecko and the spec on cross-origin access to location.hash


(Core :: XPConnect, defect)

Not set





(Reporter: bugzilla, Assigned: bholley)



(3 files)

Attached file Test results
After seeing bug 801576 I have made some tests of what JavaScript properties different browsers make available cross origin. I have found that Firefox is the only browser that makes the setter for Location.hash available cross origin.

Firefox cross origin access is defined by IsPermitted in

Chrome cross origin access is defined by enum AccessControl in

I have attached a page which tests access to all the properties allowed by Firefox and Chrome as well as some other properties, and a table which shows the results for Firefox, Chrome, IE9 and Opera. Chrome is a little difficult to test since it returns undefined instead of throwing an exception when access is denied. I have only tested ability to read and write the properties, so I don't know what happens if you try to use the returned values.

I don't have a Mac to test Safari, and I have troubles downloading IE10 from Microsoft's website, so I haven't tested in those.

The cells in the results table that say "no" but are still colored yellow means that I only determined this by reading the source code, but I were not able to test it.
Attached file Test page
Jesper, this is incredible work. Thanks.

The data indicates that Gecko is the only UA that allows cross-origin sets of Location.hash. I know people used to use this as a hacky cross-domain messaging system before window.postMessage, and would have thought that there would still be legacy use cases out there. But given that the rest of the web seems to have turned this off, I think we should too, unless there's more background here I'm not aware of.

I'll attach a patch and push it to try.
Assignee: nobody → bobbyholley+bmo
Green except for one test that was relying on cross-origin Location.hash to do something along the lines of what was described in comment 2. I fixed that test, and pushed for another mochitest-1 run to make sure there were no other failures.
We update the tests to cover this case. There was also a bug in the tests where
we were accidentally testing non-writable Location properties against window
rather than window.location. :-(
Attachment #712275 - Flags: review?(bzbarsky)
Comment on attachment 712275 [details] [diff] [review]
Align gecko with the spec on cross-origin access to Location.hash. v1

Attachment #712275 - Flags: review?(bzbarsky) → review+
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
You need to log in before you can comment on or make changes to this bug.