This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 22102 - Enumeration of cross-origin objects should silently return nothing
Summary: Enumeration of cross-origin objects should silently return nothing
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-21 04:24 UTC by Bobby Holley (:bholley)
Modified: 2013-06-26 17:45 UTC (History)
3 users (show)

See Also:

Attachments

Description Bobby Holley (:bholley) 2013-05-21 04:24:49 UTC 
See https://bugzilla.mozilla.org/show_bug.cgi?id=862380#c4
Comment 1 Ian 'Hixie' Hickson 2013-06-10 21:47:08 UTC 
heycam, any input on how I should specify this from WebIDL's perspective?
Comment 2 Cameron McCormack 2013-06-10 23:58:16 UTC 
I don't even know if there's a good way to specify that from the perspective of the ES spec.  I think you'll just need to state the requirement about enumeration somewhere in your spec.  If you feel that the "Property enumeration" section in Web IDL needs some rework to "allow" your overriding it, let me know.
Comment 3 Ian 'Hixie' Hickson 2013-06-14 23:53:14 UTC 
I don't really understand how I would specify this.
Comment 4 Ian 'Hixie' Hickson 2013-06-24 20:18:06 UTC 
http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2362

WebKit/Blink enumerate nothing.
Firefox enumerates nothing and bars access to .document for some reason.
IE throws an exception.


I've tried to specify what Webkit/Blink do here. Hopefully I didn't use terminology in a bogus fashion. As usual, reopen if I'm being silly...
Comment 5 contributor 2013-06-24 20:28:57 UTC 
Checked in as WHATWG revision r7997.
Check-in comment: Block enumeration of cross-origin objects, and clean up the language around those objects to be more consistent so that differences can more easily be seen.
http://html5.org/tools/web-apps-tracker?from=7996&to=7997
Comment 6 Bobby Holley (:bholley) 2013-06-24 20:45:57 UTC 
(In reply to comment #4)
> WebKit/Blink enumerate nothing.
> Firefox enumerates nothing and bars access to .document for some reason.

Window.document is not cross-origin accessible per-spec, right? AFAICT Gecko's behavior here is spec-correct:

http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-window
Comment 7 Bobby Holley (:bholley) 2013-06-24 20:48:50 UTC 
Also, why the localStorage changes? That's not cross-origin accessible, right?
Comment 8 Bobby Holley (:bholley) 2013-06-26 17:45:54 UTC 
(In reply to comment #6)
> (In reply to comment #4)
> > WebKit/Blink enumerate nothing.
> > Firefox enumerates nothing and bars access to .document for some reason.
> 
> Window.document is not cross-origin accessible per-spec, right? AFAICT
> Gecko's behavior here is spec-correct:

Hixie confirmed on IRC that this is correct.

(In reply to comment #7)
> Also, why the localStorage changes? That's not cross-origin accessible,
> right?

I've filed bug 22481 for this.