-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should deleting a cross-origin Window property throw? #1726
Comments
I believe how this works is that ES defines its internal methods to return booleans, and then various consumers of them (e.g. the |
Note that http://w3c-test.org/html/browsers/origin/cross-origin-objects/cross-origin-objects.sub.html seems to expect us to throw. It does not seem to be in strict mode. Firefox is passing. |
/cc @bzbarsky. Is throwing for cross-origin delete in sloppy mode expected or desirable? We could make it throw, by throwing a TypeError instead of returning false. That seems a bit unexpected from a JS developer's perspective, but it wouldn't be the worst thing. |
Someone should double check but it seems Chrome throws a SecurityError. |
@bholley knows this stuff better than I do. But afaict in Firefox any operation on a property on a cross-origin window first asks a general "can I operate on this property?" question and that will throw for all properties that are not in the whitelisted set. I don't know that I have a strong opinion about whether to throw in this situation or not. |
Oh, and I guess in Gecko the question is actually "can I perform verb X on this property?" where the possible verbs are get, set, call, enumerate, get property descriptor. delete uses the "set" verb at the moment. Fundamentally, if |
The basic idea when we hashed this out was that we would generally err on the side of throwing, since it gives engines maximum implementational flexibility (and diminishes web-compat constraints), and we're not really trying to make these objects friendly to operate on. I don't really remember the specifics of |delete|, but it doesn't surprise me that we decided it should throw. The implementation in Firefox is here: http://searchfox.org/mozilla-central/rev/0dd403224a5acb0702bdbf7ff405067f5d29c239/js/xpconnect/wrappers/FilteringWrapper.cpp#235 |
https://tc39.github.io/ecma262/#sec-invariants-of-the-essential-internal-methods says [[Delete]] must return a Boolean, but I think that section also allows exceptions although it's not explicitly stated. [[Delete]] can certainly throw already anyway. So I guess we should change this if implementations already throw. And we should probably test indexed properties before doing that. It seems the test does not cover them. |
If we change this we should also change https://html.spec.whatwg.org/multipage/browsers.html#location-delete. |
Update for the test: web-platform-tests/wpt#3610. I'll make a PR for HTML. |
Returning false would only cause its callers to throw in “strict mode”. Implementations however always throw. Always throwing also allows for more implementation flexibility which is somewhat preferable here due to the different cross-origin security architectures in browsers. Fixes #1726.
Returning false would only cause its callers to throw in “strict mode”. Implementations however always throw. Always throwing also allows for more implementation flexibility which is somewhat preferable here due to the different cross-origin security architectures in browsers. Fixes #1726.
Returning false for [[Delete]] (on Window and Location objects) would only cause its callers to throw in strict mode. Implementations however always throw. We also decided to throw "SecurityError" for [[DefineOwnProperty]] and [[Set]] (the latter through CrossOriginSet). We did not do this for all internal methods: only those where throwing was unique to their cross-origin behavior. Fixes #1726.
Returning false for [[Delete]] (on Window and Location objects) would only cause its callers to throw in strict mode. Implementations however always throw. We also decided to throw "SecurityError" for [[DefineOwnProperty]] and [[Set]] (the latter through CrossOriginSet). We did not do this for all internal methods: only those where throwing was unique to their cross-origin behavior. Fixes whatwg#1726.
Should deleting a cross-origin Window property throw?
Firefox and Chrome throw but it I cannot find the part of the specification that says we should:
https://html.spec.whatwg.org/#windowproxy-delete
The text was updated successfully, but these errors were encountered: