-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Behavior of Window's [SetPrototypeOf] ? #1727
Comments
http://w3c-test.org/html/browsers/origin/cross-origin-objects/cross-origin-objects.sub.html seems to expect that an exception be thrown for the cross-origin case. |
It matches Firefox for the same-origin case, no? At least assuming you're using Chrome hasn't updated to this part of the spec yet, sounds like; it's a somewhat recent change to the spec (both HTML and ES; see https://tc39.github.io/ecma262/#sec-immutable-prototype-exotic-objects-setprototypeof-v and https://tc39.github.io/ecma262/#sec-properties-of-the-object-prototype-object which makes trying to set the prototype of Object.prototype throw in the same way). The idea is to make the prototype chain of the global immutable in general. For the cross-origin case, this is a matter of the clear WindowProxy spec being fairly new and hence Firefox not yet implementing it. We should change the test to test that a TypeError is thrown, probably.... |
After web-platform-tests/wpt#3610 lands I can update the (cross-origin) test to actually check for specific exceptions. Okay with you @bholley? |
Also fix web-platform-tests/wpt#3610 (comment) as part of fixing the test. (Assuming everyone is okay with fixing the test.) |
Right, I think the spec is correct-ish here, but again it's just the problem of confusing the behavior of I think what remains is to decide whether we want to throw a TypeError cross-origin, or a DOMException SecurityError. That question is probably the same for all internal methods (so #1726/#1728 need to align with whatever we decide). We will always through a TypeError same-origin; as @bzbarsky points out that is somewhat of a recent change, but an important one for security. |
Edge does not throw (but also fails the "Basic sanity-checking") when running http://w3c-test.org/html/browsers/origin/cross-origin-objects/cross-origin-objects.sub.html |
Well, all browsers will fail Basic Sanity-checking if the test is hosted on port 80: This is the test that needs fixing. |
I'll defer to @bzbarsky on the details of exactly what sort of exceptions are thrown. Checking this in the test is good, but please make sure to do it in such a way that a browser that throws the wrong sort of exception still gets credit for throwing an exception, and merely fails an additional "right kind of exception" test. |
I am updating WebKit [1] to throw a TypeError in the cross-origin case as per: For now, we still allow setting the prototype in the same origin case, similarly to Chrome. |
Given #1728 (comment) it seems this can be closed as "worksforme"? That is, since the behavior is supposed to be consistent for same-origin and cross-origin, we'll leave this as a TypeError? |
This adds a new test to test for specific cross-origin object exceptions as discussed in whatwg/html#1727. Once this test is more widely implemented the cross-origin-objects.html resource can be replaced by it (as indicated within the resource).
I created a WPT PR to test for the specific exceptions. As requested I've done it as a separate resource for now so browsers can separately check whether they throw at all and whether they throw the correct exception. Once a couple of browsers start throwing the correct exceptions I suggest we only use that resource going forward. It's not worth the hassle to maintain it twice. |
Yes, the specification seems correct here. |
This adds a new test to test for specific cross-origin object exceptions as discussed in whatwg/html#1727. Once this test is more widely implemented the cross-origin-objects.html resource can be replaced by it (as indicated within the resource).
This adds a new test to test for specific cross-origin object exceptions as discussed in whatwg/html#1727. Once this test is more widely implemented the cross-origin-objects.html resource can be replaced by it (as indicated within the resource).
The HTML specification merely says to return false:
https://html.spec.whatwg.org/#windowproxy-setprototypeof
However, this does not seem to match browsers?
Firefox:
Chrome:
Safari TP:
The text was updated successfully, but these errors were encountered: