Enumerable cross-origin properties don't seem to be web-compatible #3183
Comments
|
And @cdumez because he was working on this stuff in WebKit... |
|
I may be able to reproduce in WebKit ToT. No infinite loops but login fails and I get this error in console: |
|
Right, I should have said "infinite recursion", not "infinite loop". In Gecko the infinite recursion didn't run out of stack space in the amount of time I was willing to wait... |
|
We'll try to fix this ASAP. Sorry to put everyone through this. To help us understand: this problem would also occur with a same-origin window, right? It's just bad luck that the code in question is only passing cross-origin windows and expecting them to work? |
No, because the recursive step in The problem would occur with an object graph that contains plain objects, has loops, and has non-writable properties so the loops don't get broken by |
|
Note that after the backout, Firefox will go back to its previous behavior: indexed properties will be enumerable, but other things will not. |
|
@bzbarsky but other things would still be enumerable on same-origin objects, right? |
|
Yes, everything will remain as it was for same-origin objects. |
|
Will back out change from WebKit as well (https://bugs.webkit.org/show_bug.cgi?id=179117). |
…count https://bugs.webkit.org/show_bug.cgi?id=179117 Reviewed by Geoffrey Garen. LayoutTests/imported/w3c: Rebaseline WPT tests. * web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt: * web-platform-tests/html/browsers/the-window-object/window-indexed-properties-expected.txt: Source/WebCore: After r219659, it is no longer possible to log into ifttt.com using a Google account: - Signed into a Google account already - Visit https://ifttt.com/login - Click "Continue with Google" - Select the signed in account It turns out that this change to the HTML specification was not Web-compatible: See https://bugzilla.mozilla.org/show_bug.cgi?id=1412741 & whatwg/html#3183 This patch reverts r219659 for now until we agree on what behavior should get specified. No new tests, rebaselined existing tests. * bindings/js/JSDOMWindowCustom.cpp: (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess): (WebCore::JSDOMWindow::getOwnPropertySlotByIndex): (WebCore::JSDOMWindow::getOwnPropertyNames): * bindings/js/JSLocationCustom.cpp: (WebCore::getOwnPropertySlotCommon): (WebCore::JSLocation::getOwnPropertyNames): LayoutTests: Update / rebaseline existing test. * http/tests/security/cross-origin-descriptors-expected.txt: * http/tests/security/cross-origin-descriptors.html: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@224287 268f45cc-cd09-0410-ab3c-d52691b4dbfc
In 205659f we made all properties on cross-origin objects enumerable, equivalent to their same-origin object counterparts. However, this turned out not be web-compatible. This makes them unenumerable again with the exception of array index property names, which need to be enumerable. Tests: ... Fixes #3183.
In 205659f we made all properties on cross-origin objects enumerable, equivalent to their same-origin object counterparts. However, this turned out not be web-compatible. This makes them non-enumerable again with the exception of array index property names, which need to be enumerable. Tests: web-platform-tests/wpt#8045 Fixes #3183.
In 205659f we made all properties on cross-origin objects enumerable, equivalent to their same-origin object counterparts. However, this turned out not be web-compatible. This makes them non-enumerable again with the exception of array index property names, which need to be enumerable. Tests: web-platform-tests/wpt#8045 Fixes whatwg#3183.
…count https://bugs.webkit.org/show_bug.cgi?id=179117 Reviewed by Geoffrey Garen. LayoutTests/imported/w3c: Rebaseline WPT tests. * web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt: * web-platform-tests/html/browsers/the-window-object/window-indexed-properties-expected.txt: Source/WebCore: After r219659, it is no longer possible to log into ifttt.com using a Google account: - Signed into a Google account already - Visit https://ifttt.com/login - Click "Continue with Google" - Select the signed in account It turns out that this change to the HTML specification was not Web-compatible: See https://bugzilla.mozilla.org/show_bug.cgi?id=1412741 & whatwg/html#3183 This patch reverts r219659 for now until we agree on what behavior should get specified. No new tests, rebaselined existing tests. * bindings/js/JSDOMWindowCustom.cpp: (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess): (WebCore::JSDOMWindow::getOwnPropertySlotByIndex): (WebCore::JSDOMWindow::getOwnPropertyNames): * bindings/js/JSLocationCustom.cpp: (WebCore::getOwnPropertySlotCommon): (WebCore::JSLocation::getOwnPropertyNames): LayoutTests: Update / rebaseline existing test. * http/tests/security/cross-origin-descriptors-expected.txt: * http/tests/security/cross-origin-descriptors.html: Canonical link: https://commits.webkit.org/195238@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224287 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Updating Firefox to #2777 caused a web compat issue: if a cross-origin window makes its way into jQuery.extend, that function will go into an infinite loop. This is turning up as a problem on actual sites. See https://bugzilla.mozilla.org/show_bug.cgi?id=1412741 for details.
I will be backing out the corresponding changes from Firefox.
The text was updated successfully, but these errors were encountered: