[whatwg] Spec for location object needs to make some properties unforgeable; need supporting WebIDL changes

Adam Barth w3c at adambarth.com
Mon Sep 24 23:24:52 PDT 2012


Also valueOf.

Adam


On Mon, Sep 24, 2012 at 10:10 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> Turns out, some things care about at least the .href and .toString of
> Location objects for security-check purposes.  So they need to be
> unforgeable.  But of course WebIDL doesn't provide a way to make anything
> other than readonly attributes unforgeable.  It seems like it needs to.
>
> In terms of current UA behavior for Location, it is full of weird.  The only
> interoparable part seems to be that href and toString can't be effectively
> redefined.
>
> In IE and Gecko, neither can any of the other IDL properties of Location
> objects.  So we have indications that making everything on this interface
> unforgeable is sufficiently web-compatible.
>
> Specifically, on the attached testcase, I see the following behavior:
>
> Opera:
>   * toString is not an own prop, is a configurable prop on the proto,
>     but defineProperty on the object for it fails with an exception due
>     to it not being configurable(!)
>   * href is a non-configurable own prop
>   * assign/replace/reload are normal props on the proto
>   * The rest are normal accessor props on the object itself.
>
> Chrome:
>
>   * toString is a non-configurable readonly own prop
>   * href is a non-configurable own prop for which defineProperty
>     silently does nothing.
>   * assign/replace/reload are just like toString
>   * The rest are "normal" data props on the object, except
>     defineProperty does not change the value, which it should
>     for normal props.
>
> Safari:
>
>   * toString is a non-configurable readonly own prop and also a
>     non-configurable writable prop on the proto.  Except
>     location.hasOwnProperty("toString") returns false.
>   * href is a non-configurable readonly own prop
>   * assign/replace/reload are just like toString except writable, so
>     defineProperty can change the value.
>   * The rest are all readonly non-configurable props on the object
>     itself.
>
> Gecko:
>
>   * It's all weird, because location is actually a bizarro proxy object
>     (e.g. it has no __proto__ property, returns weird stuff that can't
>     be stringified from Object.getPrototypeOf()).
>   * The key part is that trying to redefine _any_ of the properties
>     that live on Location.prototype on the location object itself is
>     disallowed in Gecko.
>
> IE9:
>
>   * All properties throw when getting property descriptors on location
>     object.
>   * Some properties are configurable on the proto and some are not.
>   * All properties throw when trying to redefine.  Including non-IDL
>     properties.  Setting expandos works fine, though.
>   * All properties claim to not be own properties.
>
> -Boris



More information about the whatwg mailing list