- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 24 Sep 2012 23:24:52 -0700
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: whatwg <whatwg@lists.whatwg.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>
Also valueOf. Adam On Mon, Sep 24, 2012 at 10:10 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > Turns out, some things care about at least the .href and .toString of > Location objects for security-check purposes. So they need to be > unforgeable. But of course WebIDL doesn't provide a way to make anything > other than readonly attributes unforgeable. It seems like it needs to. > > In terms of current UA behavior for Location, it is full of weird. The only > interoparable part seems to be that href and toString can't be effectively > redefined. > > In IE and Gecko, neither can any of the other IDL properties of Location > objects. So we have indications that making everything on this interface > unforgeable is sufficiently web-compatible. > > Specifically, on the attached testcase, I see the following behavior: > > Opera: > * toString is not an own prop, is a configurable prop on the proto, > but defineProperty on the object for it fails with an exception due > to it not being configurable(!) > * href is a non-configurable own prop > * assign/replace/reload are normal props on the proto > * The rest are normal accessor props on the object itself. > > Chrome: > > * toString is a non-configurable readonly own prop > * href is a non-configurable own prop for which defineProperty > silently does nothing. > * assign/replace/reload are just like toString > * The rest are "normal" data props on the object, except > defineProperty does not change the value, which it should > for normal props. > > Safari: > > * toString is a non-configurable readonly own prop and also a > non-configurable writable prop on the proto. Except > location.hasOwnProperty("toString") returns false. > * href is a non-configurable readonly own prop > * assign/replace/reload are just like toString except writable, so > defineProperty can change the value. > * The rest are all readonly non-configurable props on the object > itself. > > Gecko: > > * It's all weird, because location is actually a bizarro proxy object > (e.g. it has no __proto__ property, returns weird stuff that can't > be stringified from Object.getPrototypeOf()). > * The key part is that trying to redefine _any_ of the properties > that live on Location.prototype on the location object itself is > disallowed in Gecko. > > IE9: > > * All properties throw when getting property descriptors on location > object. > * Some properties are configurable on the proto and some are not. > * All properties throw when trying to redefine. Including non-IDL > properties. Setting expandos works fine, though. > * All properties claim to not be own properties. > > -Boris
Received on Tuesday, 25 September 2012 06:33:43 UTC