Should accessing location.href cross-origin throw a SecurityError?

[cdumez]

Should accessing location.href cross-origin throw a SecurityError?

The issue is that based on the current specification, [[GetOwnProperty]] will return a descriptor that has a setter but no getter for Location's href property, instead of throwing a SecurityError.

I would expect that we throw a SecurityError (it is the current behavior of WebKit / Blink too). However, it is not clear to me from the specification that we should.

[cdumez]

@annevk @domenic

[cdumez]

To be clear, I am talking about access like so:
crossOriginWindow.location.href

[cdumez]

Because the the EcmaScript spec:
https://tc39.github.io/ecma262/#sec-ordinaryget

I would expect the current HTML specification to result in us returning undefined when accessing location.href, instead of throwing an exception. This is because OrdinaryGet calls [[GetOwnProperty]] which returns a descriptor that is not undefined but desc.get is undefined.

[annevk]

Doing crossOriginWindow.location.href is a [[Get]] and therefore it will throw. If you did Object.getOwnPropertyDescriptor(crossOriginWindow.location, "href").get instead that would not throw and return undefined. If I remember correctly anyway.

[annevk]

The reason [[Get]] throws by the way is because https://html.spec.whatwg.org/#crossoriginget-(-o,-p,-receiver-) says to do so.

[cdumez]

Oh, I completely missed that Window / Location were overriding [[Get]].