Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(417)

Issue 19095003: Throw 'SecurityError' upon cross-origin Location access. (Closed)

Created:
7 years, 5 months ago by Mike West
Modified:
7 years, 5 months ago
CC:
blink-reviews, Nils Barth (inactive), jsbell+bindings_chromium.org, eae+blinkwatch, abarth-chromium, marja+watch_chromium.org, dglazkov+blink, adamk+blink_chromium.org, mkwst+watchlist_chromium.org, Nate Chapin, do-not-use
Visibility:
Public.

Description

Throw 'SecurityError' upon cross-origin Location access. As suggested in the HTML specification[1], IE and Firefox (and old Opera) throw a 'SecurityError' exception upon attempts to access to Location object properties cross-origin. Chrome and WebKit do not, instead returning 'undefined' and writing an error to the console. This has a few negative effects: developers are forced to hack around access violations in two ways rather than having a single code path, and (more annoyingly) developers are unable to avoid generating the error message. See every ad on the internet for the effect on the console. :) This patch aligns Blink's behavior to IE and Firefox's by adding 'SecurityError' exception to these access violations, which is the first step towards getting rid of the console spam. A subsequent patch will adjust the exception's message to contain some sanitized version of the current access violation detail message, and drop the unavoidable console messages. There will be much rejoicing. [1]: http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location R=abarth@chromium.org BUG=17325 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=154376

Patch Set 1 #

Total comments: 1

Patch Set 2 : rebaseline. #

Total comments: 1
Unified diffs Side-by-side diffs Delta from patch set Stats (+208 lines, -117 lines) Patch
M LayoutTests/http/tests/inspector/console-cross-origin-iframe-logging.html View 1 1 chunk +6 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/inspector/console-cross-origin-iframe-logging-expected.txt View 1 1 chunk +3 lines, -3 lines 0 comments Download
M LayoutTests/http/tests/plugins/cross-frame-object-access-expected.txt View 1 1 chunk +1 line, -0 lines 0 comments Download
M LayoutTests/http/tests/plugins/resources/cross-frame-object-access.html View 1 2 chunks +19 lines, -12 lines 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny.html View 1 chunk +6 lines, -5 lines 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html View 1 chunk +6 lines, -5 lines 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html View 1 chunk +6 lines, -5 lines 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html View 1 chunk +6 lines, -5 lines 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html View 1 chunk +6 lines, -5 lines 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html View 1 chunk +6 lines, -5 lines 0 comments Download
M LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt View 1 chunk +0 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt View 1 chunk +0 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt View 1 chunk +0 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt View 1 chunk +0 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt View 1 chunk +0 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt View 1 chunk +0 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt View 1 chunk +0 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt View 1 chunk +0 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt View 1 chunk +0 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt View 2 chunks +3 lines, -0 lines 0 comments Download
M LayoutTests/http/tests/security/cross-frame-access-delete.html View 1 chunk +2 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/cross-frame-access-delete-expected.txt View 1 chunk +2 lines, -2 lines 0 comments Download
M LayoutTests/http/tests/security/cross-frame-access-enumeration.html View 1 chunk +20 lines, -10 lines 0 comments Download
M LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt View 1 chunk +1 line, -0 lines 0 comments Download
M LayoutTests/http/tests/security/cross-frame-access-location-get.html View 2 chunks +14 lines, -1 line 0 comments Download
M LayoutTests/http/tests/security/cross-frame-access-location-get-expected.txt View 3 chunks +24 lines, -1 line 0 comments Download
M LayoutTests/http/tests/security/cross-frame-access-location-put-expected.txt View 1 chunk +5 lines, -0 lines 0 comments Download
M LayoutTests/http/tests/security/resources/cross-frame-access.js View 1 chunk +18 lines, -0 lines 0 comments Download
M LayoutTests/http/tests/security/resources/cross-frame-iframe-callback-explicit-domain-DENY.html View 1 chunk +2 lines, -1 line 0 comments Download
M LayoutTests/http/tests/security/resources/cross-frame-iframe-for-location-get-test.html View 1 chunk +2 lines, -1 line 0 comments Download
M LayoutTests/http/tests/security/sandboxed-iframe-blocks-access-from-parent.html View 1 chunk +7 lines, -3 lines 0 comments Download
M LayoutTests/http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt View 1 chunk +2 lines, -1 line 0 comments Download
M LayoutTests/http/tests/security/xss-DENIED-assign-location-hash-expected.txt View 1 chunk +1 line, -0 lines 0 comments Download
M LayoutTests/http/tests/security/xss-DENIED-assign-location-host-expected.txt View 1 chunk +1 line, -0 lines 0 comments Download
M LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname-expected.txt View 1 chunk +1 line, -0 lines 0 comments Download
M LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt View 1 chunk +1 line, -0 lines 0 comments Download
M LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname-expected.txt View 1 chunk +1 line, -0 lines 0 comments Download
M LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol-expected.txt View 1 chunk +1 line, -0 lines 0 comments Download
M LayoutTests/http/tests/security/xss-DENIED-assign-location-reload-expected.txt View 1 chunk +1 line, -0 lines 0 comments Download
M LayoutTests/http/tests/security/xss-DENIED-assign-location-search-expected.txt View 1 chunk +1 line, -0 lines 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location.html View 1 chunk +1 line, -2 lines 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt View 1 chunk +1 line, -5 lines 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/resources/utilities.js View 1 chunk +7 lines, -5 lines 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt View 1 chunk +1 line, -1 line 0 comments Download
M Source/bindings/v8/V8Initializer.cpp View 2 chunks +6 lines, -0 lines 1 comment Download

Messages

Total messages: 12 (0 generated)
Mike West
This patch depends on V8 landing something like requires something like https://codereview.chromium.org/19053002/ and rolling it ...
7 years, 5 months ago (2013-07-12 09:35:14 UTC) #1
abarth-chromium
Looks reasonable to me. Let me know when you're further along. https://codereview.chromium.org/19095003/diff/1/Source/bindings/v8/V8Initializer.cpp File Source/bindings/v8/V8Initializer.cpp (right): ...
7 years, 5 months ago (2013-07-12 22:57:08 UTC) #2
Mike West
On 2013/07/12 22:57:08, abarth wrote: > Looks reasonable to me. Let me know when you're ...
7 years, 5 months ago (2013-07-16 12:55:13 UTC) #3
abarth-chromium
The code change LGTM. I didn't review the test changes.
7 years, 5 months ago (2013-07-16 21:33:19 UTC) #4
Mike West
Thank you, Adam. Marja, Jochen, would you mind spot-checking a few of the test changes? ...
7 years, 5 months ago (2013-07-17 06:27:17 UTC) #5
haraken
LGTM
7 years, 5 months ago (2013-07-17 06:36:41 UTC) #6
Mike West
On 2013/07/17 06:36:41, haraken wrote: > LGTM Thanks Kentaro-san. :)
7 years, 5 months ago (2013-07-17 07:12:42 UTC) #7
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/mkwst@chromium.org/19095003/7001
7 years, 5 months ago (2013-07-17 07:12:56 UTC) #8
commit-bot: I haz the power
Change committed as 154376
7 years, 5 months ago (2013-07-17 07:21:30 UTC) #9
abarth-chromium
https://codereview.chromium.org/19095003/diff/7001/Source/bindings/v8/V8Initializer.cpp File Source/bindings/v8/V8Initializer.cpp (right): https://codereview.chromium.org/19095003/diff/7001/Source/bindings/v8/V8Initializer.cpp#newcode106 Source/bindings/v8/V8Initializer.cpp:106: targetWindow->printErrorMessage(targetWindow->crossDomainAccessErrorMessage(activeDOMWindow())); I'm sorry I didn't mention this before, but ...
7 years, 5 months ago (2013-07-17 17:51:30 UTC) #10
levin
On 2013/07/17 17:51:30, abarth wrote: > https://codereview.chromium.org/19095003/diff/7001/Source/bindings/v8/V8Initializer.cpp > File Source/bindings/v8/V8Initializer.cpp (right): > > https://codereview.chromium.org/19095003/diff/7001/Source/bindings/v8/V8Initializer.cpp#newcode106 > ...
7 years, 5 months ago (2013-07-17 18:06:42 UTC) #11
abarth-chromium
7 years, 5 months ago (2013-07-17 18:25:48 UTC) #12
Message was sent while issue was closed.
Ah, I fail at reading.  :)

Powered by Google App Engine
This is Rietveld 408576698