Closed Bug 839867 Opened 11 years ago Closed 11 years ago

Align Gecko and the spec on cross-origin access to location.hash

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21

People

(Reporter: bugzilla, Assigned: bholley)

Details

Attachments

(3 files)

Test results
6.80 KB, text/html
Details
Test page
2.76 KB, text/html
Details
Align gecko with the spec on cross-origin access to Location.hash. v1
3.66 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Attached file Test results 
After seeing bug 801576 I have made some tests of what JavaScript properties different browsers make available cross origin. I have found that Firefox is the only browser that makes the setter for Location.hash available cross origin.

Firefox cross origin access is defined by IsPermitted in http://hg.mozilla.org/mozilla-central/file/tip/js/xpconnect/wrappers/AccessCheck.cpp#l136

Chrome cross origin access is defined by enum AccessControl in http://code.google.com/p/v8/source/browse/trunk/include/v8.h#1534

I have attached a page which tests access to all the properties allowed by Firefox and Chrome as well as some other properties, and a table which shows the results for Firefox, Chrome, IE9 and Opera. Chrome is a little difficult to test since it returns undefined instead of throwing an exception when access is denied. I have only tested ability to read and write the properties, so I don't know what happens if you try to use the returned values.

I don't have a Mac to test Safari, and I have troubles downloading IE10 from Microsoft's website, so I haven't tested in those.

The cells in the results table that say "no" but are still colored yellow means that I only determined this by reading the source code, but I were not able to test it.
Attached file Test page 

    
    

    
  
Jesper, this is incredible work. Thanks.

The data indicates that Gecko is the only UA that allows cross-origin sets of Location.hash. I know people used to use this as a hacky cross-domain messaging system before window.postMessage, and would have thought that there would still be legacy use cases out there. But given that the rest of the web seems to have turned this off, I think we should too, unless there's more background here I'm not aware of.

I'll attach a patch and push it to try.

    
    

    
  
https://tbpl.mozilla.org/?tree=Try&rev=77f7b9aaffdc
Assignee: nobody → bobbyholley+bmo

    
    

    
  
Green except for one test that was relying on cross-origin Location.hash to do something along the lines of what was described in comment 2. I fixed that test, and pushed for another mochitest-1 run to make sure there were no other failures.

    
    

    
  


  
We update the tests to cover this case. There was also a bug in the tests where
we were accidentally testing non-writable Location properties against window
rather than window.location. :-(

        Attachment #712275 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 712275 [details] [diff] [review]
Align gecko with the spec on cross-origin access to Location.hash. v1

r=me

        Attachment #712275 -
        Flags: review?(bzbarsky) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/1c2e7ae47afc
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: