Tweak the exposure of cross-origin properties

This contains two separate changes: * It makes all cross-origin properties that would normally be enumerable on same-origin objects, enumerable also on WindowProxy and Location objects (including when accessed same-origin). This includes safelisted methods and attributes, browsing context name properties, and browsing context index properties. The motivation for making them non-enumerable seems to have been a mistaken impression that doing so would prevent a cross-origin information leak. * It hides window names from [[OwnPropertyKeys]](), and thus Object.keys(), Object.getOwnPropertyNames(), etc. This actually prevents that cross-origin information leak. Closes whatwg#2753.
alice · Jan 7, 2019 · 333efb0 · 333efb0
1 parent a402ebd
commit 333efb0
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/source b/source
@@ -77787,7 +77787,7 @@ console.assert(iframeWindow.frameElement === null);
     browsing context name property set</span>:</p>
 
     <ol>
-     <li><p>Add { [[Property]]: <var>e</var> } as the last element of
+     <li><p>Add { [[Property]]: <var>e</var>, [[HideFromKeys]]: true } as the last element of
      <var>crossOriginWindowProperties</var>.</p></li>
     </ol>
    </li>
@@ -77853,7 +77853,7 @@ console.assert(iframeWindow.frameElement === null);
 
          <li><p>Set <var>crossOriginDesc</var> to <span>PropertyDescriptor</span>{
          [[Value]]: <var>value</var>,
-         [[Enumerable]]: false,
+         [[Enumerable]]: true,
          [[Writable]]: false,
          [[Configurable]]: true }.</p></li>
         </ol>
@@ -77880,7 +77880,7 @@ console.assert(iframeWindow.frameElement === null);
          <li><p>Set <var>crossOriginDesc</var> to <span>PropertyDescriptor</span>{
          [[Get]]: <var>crossOriginGet</var>,
          [[Set]]: <var>crossOriginSet</var>,
-         [[Enumerable]]: false,
+         [[Enumerable]]: true,
          [[Configurable]]: true }.</p></li>
         </ol>
        </li>
@@ -77958,7 +77958,8 @@ console.assert(iframeWindow.frameElement === null);
     <span>CrossOriginProperties</span>(<var>O</var>):</p>
 
     <ol>
-     <li><p>Add <var>e</var>.[[Property]] as the last element of <var>keys</var>.</p></li>
+     <li><p>If <var>e</var>.[[HideFromKeys]] is not true, <span data-x="list append">append</span>
+     <var>e</var>.[[Property]] to <var>keys</var>.</p></li>
     </ol>
    </li>
 
@@ -79053,7 +79054,7 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
      <li><p>Return <span>PropertyDescriptor</span>{
      [[Value]]: <var>value</var>,
      [[Writable]]: false,
-     [[Enumerable]]: false,
+     [[Enumerable]]: true,
      [[Configurable]]: true }.</p></li>
     </ol>
    </li>
@@ -79083,7 +79084,7 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
 
      <li><p>Return <span>PropertyDescriptor</span>{
      [[Value]]: <var>value</var>,
-     [[Enumerable]]: false,
+     [[Enumerable]]: true,
      [[Writable]]: false,
      [[Configurable]]: true }.</p></li>
     </ol>