-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enumerable cross-origin properties don't seem to be web-compatible #3183
Comments
And @cdumez because he was working on this stuff in WebKit... |
I may be able to reproduce in WebKit ToT. No infinite loops but login fails and I get this error in console: |
Right, I should have said "infinite recursion", not "infinite loop". In Gecko the infinite recursion didn't run out of stack space in the amount of time I was willing to wait... |
We'll try to fix this ASAP. Sorry to put everyone through this. To help us understand: this problem would also occur with a same-origin window, right? It's just bad luck that the code in question is only passing cross-origin windows and expecting them to work? |
No, because the recursive step in The problem would occur with an object graph that contains plain objects, has loops, and has non-writable properties so the loops don't get broken by |
Note that after the backout, Firefox will go back to its previous behavior: indexed properties will be enumerable, but other things will not. |
@bzbarsky but other things would still be enumerable on same-origin objects, right? |
Yes, everything will remain as it was for same-origin objects. |
Will back out change from WebKit as well (https://bugs.webkit.org/show_bug.cgi?id=179117). |
…count https://bugs.webkit.org/show_bug.cgi?id=179117 Reviewed by Geoffrey Garen. LayoutTests/imported/w3c: Rebaseline WPT tests. * web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt: * web-platform-tests/html/browsers/the-window-object/window-indexed-properties-expected.txt: Source/WebCore: After r219659, it is no longer possible to log into ifttt.com using a Google account: - Signed into a Google account already - Visit https://ifttt.com/login - Click "Continue with Google" - Select the signed in account It turns out that this change to the HTML specification was not Web-compatible: See https://bugzilla.mozilla.org/show_bug.cgi?id=1412741 & whatwg/html#3183 This patch reverts r219659 for now until we agree on what behavior should get specified. No new tests, rebaselined existing tests. * bindings/js/JSDOMWindowCustom.cpp: (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess): (WebCore::JSDOMWindow::getOwnPropertySlotByIndex): (WebCore::JSDOMWindow::getOwnPropertyNames): * bindings/js/JSLocationCustom.cpp: (WebCore::getOwnPropertySlotCommon): (WebCore::JSLocation::getOwnPropertyNames): LayoutTests: Update / rebaseline existing test. * http/tests/security/cross-origin-descriptors-expected.txt: * http/tests/security/cross-origin-descriptors.html: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@224287 268f45cc-cd09-0410-ab3c-d52691b4dbfc
In 205659f we made all properties on cross-origin objects enumerable, equivalent to their same-origin object counterparts. However, this turned out not be web-compatible. This makes them unenumerable again with the exception of array index property names, which need to be enumerable. Tests: ... Fixes #3183.
In 205659f we made all properties on cross-origin objects enumerable, equivalent to their same-origin object counterparts. However, this turned out not be web-compatible. This makes them non-enumerable again with the exception of array index property names, which need to be enumerable. Tests: web-platform-tests/wpt#8045 Fixes #3183.
In 205659f we made all properties on cross-origin objects enumerable, equivalent to their same-origin object counterparts. However, this turned out not be web-compatible. This makes them non-enumerable again with the exception of array index property names, which need to be enumerable. Tests: web-platform-tests/wpt#8045 Fixes whatwg#3183.
…count https://bugs.webkit.org/show_bug.cgi?id=179117 Reviewed by Geoffrey Garen. LayoutTests/imported/w3c: Rebaseline WPT tests. * web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt: * web-platform-tests/html/browsers/the-window-object/window-indexed-properties-expected.txt: Source/WebCore: After r219659, it is no longer possible to log into ifttt.com using a Google account: - Signed into a Google account already - Visit https://ifttt.com/login - Click "Continue with Google" - Select the signed in account It turns out that this change to the HTML specification was not Web-compatible: See https://bugzilla.mozilla.org/show_bug.cgi?id=1412741 & whatwg/html#3183 This patch reverts r219659 for now until we agree on what behavior should get specified. No new tests, rebaselined existing tests. * bindings/js/JSDOMWindowCustom.cpp: (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess): (WebCore::JSDOMWindow::getOwnPropertySlotByIndex): (WebCore::JSDOMWindow::getOwnPropertyNames): * bindings/js/JSLocationCustom.cpp: (WebCore::getOwnPropertySlotCommon): (WebCore::JSLocation::getOwnPropertyNames): LayoutTests: Update / rebaseline existing test. * http/tests/security/cross-origin-descriptors-expected.txt: * http/tests/security/cross-origin-descriptors.html: Canonical link: https://commits.webkit.org/195238@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224287 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Updating Firefox to #2777 caused a web compat issue: if a cross-origin window makes its way into jQuery.extend, that function will go into an infinite loop. This is turning up as a problem on actual sites. See https://bugzilla.mozilla.org/show_bug.cgi?id=1412741 for details.
I will be backing out the corresponding changes from Firefox.
The text was updated successfully, but these errors were encountered: