Tweak the exposure of cross-origin properties

This contains two separate changes: * It makes all cross-origin properties that would normally be enumerable on same-origin objects, enumerable also on WindowProxy and Location objects (including when accessed same-origin). This includes safelisted methods and attributes, browsing context name properties, and browsing context index properties. The motivation for making them non-enumerable seems to have been a mistaken impression that doing so would prevent a cross-origin information leak. * It hides window names from [[OwnPropertyKeys]](), and thus Object.keys(), Object.getOwnPropertyNames(), etc. This actually prevents a cross-origin information leak. Closes #2753.
whatwg · Jun 21, 2017 · 205659f · 205659f
1 parent 7f4c34a
commit 205659f
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/source b/source
@@ -77489,7 +77489,7 @@ console.assert(iframeWindow.frameElement === null);
     browsing context name property set</span>:</p>
 
     <ol>
-     <li><p>Add { [[Property]]: <var>e</var> } as the last element of
+     <li><p>Add { [[Property]]: <var>e</var>, [[HideFromKeys]]: true } as the last element of
      <var>crossOriginWindowProperties</var>.</p></li>
     </ol>
    </li>
@@ -77555,7 +77555,7 @@ console.assert(iframeWindow.frameElement === null);
 
          <li><p>Set <var>crossOriginDesc</var> to <span>PropertyDescriptor</span>{
          [[Value]]: <var>value</var>,
-         [[Enumerable]]: false,
+         [[Enumerable]]: true,
          [[Writable]]: false,
          [[Configurable]]: true }.</p></li>
         </ol>
@@ -77582,7 +77582,7 @@ console.assert(iframeWindow.frameElement === null);
          <li><p>Set <var>crossOriginDesc</var> to <span>PropertyDescriptor</span>{
          [[Get]]: <var>crossOriginGet</var>,
          [[Set]]: <var>crossOriginSet</var>,
-         [[Enumerable]]: false,
+         [[Enumerable]]: true,
          [[Configurable]]: true }.</p></li>
         </ol>
        </li>
@@ -77660,7 +77660,8 @@ console.assert(iframeWindow.frameElement === null);
     <span>CrossOriginProperties</span>(<var>O</var>):</p>
 
     <ol>
-     <li><p>Add <var>e</var>.[[Property]] as the last element of <var>keys</var>.</p></li>
+     <li><p>If <var>e</var>.[[HideFromKeys]] is not true, <span data-x="list append">append</span>
+     <var>e</var>.[[Property]] to <var>keys</var>.</p></li>
     </ol>
    </li>
 
@@ -78753,7 +78754,7 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
      <li><p>Return <span>PropertyDescriptor</span>{
      [[Value]]: <var>value</var>,
      [[Writable]]: false,
-     [[Enumerable]]: false,
+     [[Enumerable]]: true,
      [[Configurable]]: true }.</p></li>
     </ol>
    </li>
@@ -78783,7 +78784,7 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
 
      <li><p>Return <span>PropertyDescriptor</span>{
      [[Value]]: <var>value</var>,
-     [[Enumerable]]: false,
+     [[Enumerable]]: true,
      [[Writable]]: false,
      [[Configurable]]: true }.</p></li>
     </ol>