Handling of "then" on cross-origin windows doesn't match what we agreed to do or browsers

[bzbarsky]

Consider this code, where "win" is a cross-origin window that has a subframe named "then":

Object.getOwnPropertyDescriptor(win, "then")

What should this return?

Per spec as currently written, we land in https://html.spec.whatwg.org/multipage/window-object.html#windowproxy-getownproperty and:

1. Just sets W
2. P == "then" is not an array index, step skipped.
3. IsPlatformObjectSameOrigin is false.
4. CrossOriginGetPropertyHelper returns a descriptor with [[Value]]: undefined
5. This property descriptor is returned.

But what browsers implement, and wpt tests for, and we agreed on, iirc, is that in this case the property descriptor's [[Value]] should be the subframe window.

@annevk @domenic

[bzbarsky]

Looks like this was wrong in the original PR for #3242

[annevk]

So to fix this, we need to remove the "then" case from step 3 of CrossOriginGetOwnPropertyHelper. Then we need to add a "then" case near the end of WindowProxy's and Location's [[GetOwnProperty]]. Alternatively we could move that entire step (step 3 of CrossOriginGetOwnPropertyHelper) to end of these two algorithms.

It might be worthwhile to look into a shorthand for

PropertyDescriptor{ [[Value]]: undefined, [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }

too to avoid the duplication of that, but perhaps only if there's more uses of it throughout the platform.

This seems like a good first issue for someone to try and tackle.

[bzbarsky]

In the Gecko implementation, I moved all of step 3 into a separate algorithm that is invoked from both ends of [[GetOwnProperty]], for the moment...

[annevk]

I ended up posting a PR for this myself, despite "good first issue", as it concerns security, so removing that label.