W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 10 Jan 2013 00:42:15 +0000 (UTC)
To: James Graham <jgraham@opera.com>
Message-ID: <Pine.LNX.4.64.1301100041590.2101@ps20323.dreamhostps.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@MIT.EDU>, Adam Barth <w3c@adambarth.com>
On Wed, 9 Jan 2013, James Graham wrote:
> On Wed, 9 Jan 2013, Boris Zbarsky wrote:
> > On 1/9/13 4:12 PM, Adam Barth wrote:
> > > >    window.addEventListener.call(otherWindow, "click", function() 
> > > > {});
> > > 
> > > This example does not appear to throw an exception in Chrome.  It 
> > > appears to just returns undefined without doing anything (except 
> > > logging a security error to the debug console).
> > 
> > Hmm.  I may be able to convince that turning security errors like this 
> > into silent no-ops returning undefined is ok, but throwing an 
> > exception seems like a much better idea to me if you're going to 
> > completely not do what you were asked to do...  The other option 
> > introduces hard-to-debug bugs.
> 
> FWIW I have run into this behaviour in WebKit in the context of using 
> the platform, and I considered it very user-hostile.

Yeah, we should throw SecurityError exception in these cases IMHO.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 January 2013 00:42:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT