[whatwg] Spec for location object needs to make some properties unforgeable; need supporting WebIDL changes
Adam Barth
w3c at adambarth.com
Mon Sep 24 23:24:52 PDT 2012
Also valueOf.
Adam
On Mon, Sep 24, 2012 at 10:10 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> Turns out, some things care about at least the .href and .toString of
> Location objects for security-check purposes. So they need to be
> unforgeable. But of course WebIDL doesn't provide a way to make anything
> other than readonly attributes unforgeable. It seems like it needs to.
>
> In terms of current UA behavior for Location, it is full of weird. The only
> interoparable part seems to be that href and toString can't be effectively
> redefined.
>
> In IE and Gecko, neither can any of the other IDL properties of Location
> objects. So we have indications that making everything on this interface
> unforgeable is sufficiently web-compatible.
>
> Specifically, on the attached testcase, I see the following behavior:
>
> Opera:
> * toString is not an own prop, is a configurable prop on the proto,
> but defineProperty on the object for it fails with an exception due
> to it not being configurable(!)
> * href is a non-configurable own prop
> * assign/replace/reload are normal props on the proto
> * The rest are normal accessor props on the object itself.
>
> Chrome:
>
> * toString is a non-configurable readonly own prop
> * href is a non-configurable own prop for which defineProperty
> silently does nothing.
> * assign/replace/reload are just like toString
> * The rest are "normal" data props on the object, except
> defineProperty does not change the value, which it should
> for normal props.
>
> Safari:
>
> * toString is a non-configurable readonly own prop and also a
> non-configurable writable prop on the proto. Except
> location.hasOwnProperty("toString") returns false.
> * href is a non-configurable readonly own prop
> * assign/replace/reload are just like toString except writable, so
> defineProperty can change the value.
> * The rest are all readonly non-configurable props on the object
> itself.
>
> Gecko:
>
> * It's all weird, because location is actually a bizarro proxy object
> (e.g. it has no __proto__ property, returns weird stuff that can't
> be stringified from Object.getPrototypeOf()).
> * The key part is that trying to redefine _any_ of the properties
> that live on Location.prototype on the location object itself is
> disallowed in Gecko.
>
> IE9:
>
> * All properties throw when getting property descriptors on location
> object.
> * Some properties are configurable on the proto and some are not.
> * All properties throw when trying to redefine. Including non-IDL
> properties. Setting expandos works fine, though.
> * All properties claim to not be own properties.
>
> -Boris
More information about the whatwg
mailing list