mirror of
https://github.com/servo/servo
synced 2026-05-12 18:06:32 +02:00
c25355704d
The expression `crossOriginIframe.contentWindow.location.href = "new href"` takes the following steps: (1) Get the setter for `href` by invoking `[[GetOwnProperty]]` on `crossOriginIframe.contentWindow. location`. (2) Call the setter, passing `crossOriginIframe. contentWindow` and `"new href"`. Since the target `Location` is cross origin, getting the setter succeeds only if the `CrossOriginWritable` extended attribute is present on the `href` attribute, and it's present. However, instead of `CrossOriginWritable`, `CrossOriginReadable` was checked mistakenly. Since `Location#href` has `CrossOriginWritable` but not `CrossOriginReadable`, this bug rendered `Location#href` inaccessible from a cross-origin document.