Permalink
Browse files

Tweak the exposure of cross-origin properties

This contains two separate changes:

* It makes all cross-origin properties that would normally be enumerable
  on same-origin objects, enumerable also on WindowProxy and Location
  objects (including when accessed same-origin). This includes
  safelisted methods and attributes, browsing context name properties,
  and browsing context index properties. The motivation for making them
  non-enumerable seems to have been a mistaken impression that doing so
  would prevent a cross-origin information leak.

* It hides window names from [[OwnPropertyKeys]](), and thus
  Object.keys(), Object.getOwnPropertyNames(), etc. This actually
  prevents a cross-origin information leak.

Closes #2753.
  • Loading branch information...
domenic committed Jun 21, 2017
1 parent 7f4c34a commit 205659fe48f3aaf241f071e5ed0078d146812d7f
Showing with 7 additions and 6 deletions.
  1. +7 −6 source
View
13 source
@@ -77489,7 +77489,7 @@ console.assert(iframeWindow.frameElement === null);
browsing context name property set</span>:</p>
<ol>
<li><p>Add { [[Property]]: <var>e</var> } as the last element of
<li><p>Add { [[Property]]: <var>e</var>, [[HideFromKeys]]: true } as the last element of
<var>crossOriginWindowProperties</var>.</p></li>
</ol>
</li>
@@ -77555,7 +77555,7 @@ console.assert(iframeWindow.frameElement === null);
<li><p>Set <var>crossOriginDesc</var> to <span>PropertyDescriptor</span>{
[[Value]]: <var>value</var>,
[[Enumerable]]: false,
[[Enumerable]]: true,
[[Writable]]: false,
[[Configurable]]: true }.</p></li>
</ol>
@@ -77582,7 +77582,7 @@ console.assert(iframeWindow.frameElement === null);
<li><p>Set <var>crossOriginDesc</var> to <span>PropertyDescriptor</span>{
[[Get]]: <var>crossOriginGet</var>,
[[Set]]: <var>crossOriginSet</var>,
[[Enumerable]]: false,
[[Enumerable]]: true,
[[Configurable]]: true }.</p></li>
</ol>
</li>
@@ -77660,7 +77660,8 @@ console.assert(iframeWindow.frameElement === null);
<span>CrossOriginProperties</span>(<var>O</var>):</p>
<ol>
<li><p>Add <var>e</var>.[[Property]] as the last element of <var>keys</var>.</p></li>
<li><p>If <var>e</var>.[[HideFromKeys]] is not true, <span data-x="list append">append</span>
<var>e</var>.[[Property]] to <var>keys</var>.</p></li>
</ol>
</li>
@@ -78753,7 +78754,7 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
<li><p>Return <span>PropertyDescriptor</span>{
[[Value]]: <var>value</var>,
[[Writable]]: false,
[[Enumerable]]: false,
[[Enumerable]]: true,
[[Configurable]]: true }.</p></li>
</ol>
</li>
@@ -78783,7 +78784,7 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
<li><p>Return <span>PropertyDescriptor</span>{
[[Value]]: <var>value</var>,
[[Enumerable]]: false,
[[Enumerable]]: true,
[[Writable]]: false,
[[Configurable]]: true }.</p></li>
</ol>

0 comments on commit 205659f

Please sign in to comment.