[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Ian Hickson ian at hixie.ch
Wed Jan 9 16:42:15 PST 2013


On Wed, 9 Jan 2013, James Graham wrote:
> On Wed, 9 Jan 2013, Boris Zbarsky wrote:
> > On 1/9/13 4:12 PM, Adam Barth wrote:
> > > >    window.addEventListener.call(otherWindow, "click", function() 
> > > > {});
> > > 
> > > This example does not appear to throw an exception in Chrome.  It 
> > > appears to just returns undefined without doing anything (except 
> > > logging a security error to the debug console).
> > 
> > Hmm.  I may be able to convince that turning security errors like this 
> > into silent no-ops returning undefined is ok, but throwing an 
> > exception seems like a much better idea to me if you're going to 
> > completely not do what you were asked to do...  The other option 
> > introduces hard-to-debug bugs.
> 
> FWIW I have run into this behaviour in WebKit in the context of using 
> the platform, and I considered it very user-hostile.

Yeah, we should throw SecurityError exception in these cases IMHO.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list