Tweak the exposure of cross-origin properties

This contains two separate changes: * It makes all cross-origin properties that would normally be enumerable on same-origin objects, enumerable also on WindowProxy and Location objects (including when accessed same-origin). This includes safelisted methods and attributes, browsing context name properties, and browsing context index properties. The motivation for making them non-enumerable seems to have been a mistaken impression that doing so would prevent a cross-origin information leak. * It hides window names from [[OwnPropertyKeys]](), and thus Object.keys(), Object.getOwnPropertyNames(), etc. This actually prevents that cross-origin information leak. Closes #2753.
whatwg · Jul 17, 2017 · 79b4fbc · 79b4fbc
1 parent 889fd1d
commit 79b4fbc
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/source b/source
@@ -77772,7 +77772,7 @@ console.assert(iframeWindow.frameElement === null);
     browsing context name property set</span>:</p>
 
     <ol>
-     <li><p>Add { [[Property]]: <var>e</var> } as the last element of
+     <li><p>Add { [[Property]]: <var>e</var>, [[HideFromKeys]]: true } as the last element of
      <var>crossOriginWindowProperties</var>.</p></li>
     </ol>
    </li>
@@ -77838,7 +77838,7 @@ console.assert(iframeWindow.frameElement === null);
 
          <li><p>Set <var>crossOriginDesc</var> to <span>PropertyDescriptor</span>{
          [[Value]]: <var>value</var>,
-         [[Enumerable]]: false,
+         [[Enumerable]]: true,
          [[Writable]]: false,
          [[Configurable]]: true }.</p></li>
         </ol>
@@ -77865,7 +77865,7 @@ console.assert(iframeWindow.frameElement === null);
          <li><p>Set <var>crossOriginDesc</var> to <span>PropertyDescriptor</span>{
          [[Get]]: <var>crossOriginGet</var>,
          [[Set]]: <var>crossOriginSet</var>,
-         [[Enumerable]]: false,
+         [[Enumerable]]: true,
          [[Configurable]]: true }.</p></li>
         </ol>
        </li>
@@ -77943,7 +77943,8 @@ console.assert(iframeWindow.frameElement === null);
     <span>CrossOriginProperties</span>(<var>O</var>):</p>
 
     <ol>
-     <li><p>Add <var>e</var>.[[Property]] as the last element of <var>keys</var>.</p></li>
+     <li><p>If <var>e</var>.[[HideFromKeys]] is not true, <span data-x="list append">append</span>
+     <var>e</var>.[[Property]] to <var>keys</var>.</p></li>
     </ol>
    </li>
 
@@ -79038,7 +79039,7 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
      <li><p>Return <span>PropertyDescriptor</span>{
      [[Value]]: <var>value</var>,
      [[Writable]]: false,
-     [[Enumerable]]: false,
+     [[Enumerable]]: true,
      [[Configurable]]: true }.</p></li>
     </ol>
    </li>
@@ -79068,7 +79069,7 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
 
      <li><p>Return <span>PropertyDescriptor</span>{
      [[Value]]: <var>value</var>,
-     [[Enumerable]]: false,
+     [[Enumerable]]: true,
      [[Writable]]: false,
      [[Configurable]]: true }.</p></li>
     </ol>