From 9b22d034cd5a89cac9e54174d009ef8a256bcf13 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 14 Sep 2016 18:50:33 +0200
Subject: [PATCH] Throw for cross-origin [[Delete]] and use "SecurityError" as
 needed

Returning false for [[Delete]] (on Window and Location objects) would
only cause its callers to throw in strict mode. Implementations
however always throw.

We also decided to throw "SecurityError" for [[DefineOwnProperty]]
and [[Set]] (the latter through CrossOriginSet). We did not do this
for all internal methods: only those where throwing was unique to
their cross-origin behavior.

Fixes #1726.
---
 source | 51 +++++++++++++++++++++++++++++----------------------
 1 file changed, 29 insertions(+), 22 deletions(-)

diff --git a/source b/source
index 30f8a4fea30..f12a231ab33 100644
--- a/source
+++ b/source
@@ -78365,13 +78365,9 @@ console.assert(iframeWindow.frameElement === null);
    <li><p>Assert: <var>desc</var> is not undefined.</p></li>
 
    <li>
-    <p>If <span>IsAccessorDescriptor</span>(<var>desc</var>) is true, then:</p>
+    <p>If <var>desc</var>.[[Set]] is present and its value is not undefined, then:
 
     <ol>
-     <li><p>Let <var>setter</var> be <var>desc</var>.[[Set]].</p></li>
-
-     <li><p>If <var>setter</var> is undefined, return false.</p></li>
-
      <li><p>Perform ? <span>Call</span>(<var>setter</var>, <var>Receiver</var>,
      «<var>V</var>»).</p></li>
 
@@ -78379,7 +78375,7 @@ console.assert(iframeWindow.frameElement === null);
     </ol>
    </li>
 
-   <li><p>Return false.</p></li>
+   <li><p>Throw a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
   </ol>
 
   <h5><dfn>CrossOriginOwnPropertyKeys</dfn> ( <var>O</var> )</h5>
@@ -79329,22 +79325,28 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
   )</h4>
 
   <ol>
-   <li><p>If <var>P</var> is an <span>array index property name</span>, return false.</p></li>
-
    <li><p>Let <var>W</var> be the value of the
    [[<span data-x="concept-windowproxy-window">Window</span>]] internal slot of
    <b>this</b>.</p></li>
 
    <li>
-    <p>If <span>IsPlatformObjectSameOrigin</span>(<var>W</var>) is true, then return ?
-    <span>OrdinaryDefineOwnProperty</span>(<var>W</var>, <var>P</var>, <var>Desc</var>).</p>
+    <p>If <span>IsPlatformObjectSameOrigin</span>(<var>W</var>) is true, then:
 
-    <p class="note">This is a <span>willful violation</span> of the JavaScript specification's
-    <span>invariants of the essential internal methods</span> to maintain compatibility with
-    existing Web content. See <a href="https://github.com/tc39/ecma262/issues/672">tc39/ecma262
-    issue #672</a> for more information. <ref spec=JAVASCRIPT></p>
+    <ol>
+     <li><p>If <var>P</var> is an <span>array index property name</span>, return false.</p></li>
 
-   <li><p>Return false.</p></li>
+     <li>
+      <p>Return ? <span>OrdinaryDefineOwnProperty</span>(<var>W</var>, <var>P</var>,
+      <var>Desc</var>).</p>
+
+      <p class="note">This is a <span>willful violation</span> of the JavaScript specification's
+      <span>invariants of the essential internal methods</span> to maintain compatibility with
+      existing Web content. See <a href="https://github.com/tc39/ecma262/issues/672">tc39/ecma262
+      issue #672</a> for more information. <ref spec=JAVASCRIPT></p>
+     </li>
+    </ol>
+
+   <li><p>Throw a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
   </ol>
 
   <h4 id="windowproxy-get">[[Get]] ( <var>P</var>, <var>Receiver</var> )</h4>
@@ -79380,16 +79382,21 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
   <h4 id="windowproxy-delete">[[Delete]] ( <var>P</var> )</h4>
 
   <ol>
-   <li><p>If <var>P</var> is an <span>array index property name</span>, return false.</p></li>
-
    <li><p>Let <var>W</var> be the value of the
    [[<span data-x="concept-windowproxy-window">Window</span>]] internal slot of
    <b>this</b>.</p></li>
 
-   <li><p>If <span>IsPlatformObjectSameOrigin</span>(<var>W</var>) is true, then return ?
-   <span>OrdinaryDelete</span>(<var>W</var>, <var>P</var>).</p></li>
+   <li>
+    <p>If <span>IsPlatformObjectSameOrigin</span>(<var>W</var>) is true, then:
 
-   <li><p>Return false.</p></li>
+    <ol>
+     <li><p>If <var>P</var> is an <span>array index property name</span>, then return
+     false.</p></li>
+
+     <li><p>Return ? <span>OrdinaryDelete</span>(<var>W</var>, <var>P</var>).</p></li>
+    </ol>
+
+   <li><p>Throw a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
   </ol>
 
   <h4 id="windowproxy-ownpropertykeys">[[OwnPropertyKeys]] ( )</h4>
@@ -81740,7 +81747,7 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
     </ol>
    </li>
 
-   <li><p>Return false.</p></li>
+   <li><p>Throw a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
   </ol>
 
   <h5 id="location-get">[[Get]] ( <var>P</var>, <var>Receiver</var> )</h5>
@@ -81769,7 +81776,7 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
    <li><p>If <span>IsPlatformObjectSameOrigin</span>(<b>this</b>) is true, then return ?
    <span>OrdinaryDelete</span>(<b>this</b>, <var>P</var>).</p></li>
 
-   <li><p>Return false.</p></li>
+   <li><p>Throw a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
   </ol>
 
   <h5 id="location-ownpropertykeys">[[OwnPropertyKeys]] ( )</h5>