Closed Bug 916939 Opened 7 years ago Closed 7 years ago

Drop support for named and indexed access on cross-origin windows

Categories

(Core :: XPConnect, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX
mozilla27

People

(Reporter: bholley, Assigned: bholley)

References

Details

Attachments

(1 file)

The web currently allows this, and I recently filed [1] to get the spec updated here. But after discussing it, Boris and I think it's a major problem for security and for the general future of the web (especially for the kind of sandboxing everyone wants to move toward). As such, we're going to experiment with removing it. See [2].

[1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=21674

[2] https://www.w3.org/Bugs/Public/show_bug.cgi?id=23218#c3
Component: DOM → XPConnect
See also bug 916945.
Depends on: 916983
Blocks: 916945
This is now green.
Attachment #806287 - Flags: review?(bzbarsky)
Let's make sure there are no disable-if-linux64 tests that rely on this:

https://tbpl.mozilla.org/?tree=Try&rev=87154b32287f
Comment on attachment 806287 [details] [diff] [review]
Drop support for named and indexed access on cross-origin windows. v1

r=me.  Fingers crossed!
Attachment #806287 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/86128d3eac88
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
No longer depends on: 916983
Depends on: 916983
No longer blocks: 916945
Depends on: 918539
Just for the record: this patch just broke Google Hangouts.  See Bug 918539.
(In reply to Armin Ronacher from comment #10)
> Just for the record: this patch just broke Google Hangouts.  See Bug 918539.

Yeah, that doesn't bode well for this patch. I'm going to back it out and declare defeat on this one.
Resolution: FIXED → WONTFIX
You need to log in before you can comment on or make changes to this bug.