diff options
| author | yvt <i@yvt.jp> | 2021-08-17 01:45:55 +0900 |
|---|---|---|
| committer | yvt <i@yvt.jp> | 2021-08-17 09:26:27 +0900 |
| commit | c25355704d08ac68cda147ccbec270407119e2ca (patch) | |
| tree | 3283e68074e9eb0c822ac2644a964a7e9feb0d20 /components/script/dom/bindings/codegen/interface.html.template | |
| parent | 8b3a49349dd4028f95f0157951d76713551a0ad4 (diff) | |
| download | servo-c25355704d08ac68cda147ccbec270407119e2ca.tar.gz servo-c25355704d08ac68cda147ccbec270407119e2ca.zip | |
fix(script): the condition for exposing a cross-origin setter is `CrossOriginWritable`, not `CrossOriginReadable`
The expression `crossOriginIframe.contentWindow.location.href = "new
href"` takes the following steps: (1) Get the setter for `href` by
invoking `[[GetOwnProperty]]` on `crossOriginIframe.contentWindow.
location`. (2) Call the setter, passing `crossOriginIframe.
contentWindow` and `"new href"`. Since the target `Location` is cross
origin, getting the setter succeeds only if the `CrossOriginWritable`
extended attribute is present on the `href` attribute, and it's present.
However, instead of `CrossOriginWritable`, `CrossOriginReadable` was
checked mistakenly.
Since `Location#href` has `CrossOriginWritable` but not
`CrossOriginReadable`, this bug rendered `Location#href` inaccessible
from a cross-origin document.
Diffstat (limited to 'components/script/dom/bindings/codegen/interface.html.template')
0 files changed, 0 insertions, 0 deletions