It should be possible to create [[Prototype]] cycles involving Location objects
Reported by
jswalde...@gmail.com,
Apr 26 2016
|
||||
Issue descriptionVersion: e09ff0ff0cd28edc6d0c5d86c8d13c4e21fc708e OS: All Architecture: All What steps will reproduce the problem? 1. Load http://playground.whereswalden.com/cross-origin-location-window.html What is the expected output? What do you see instead? See PASS messages, not FAIL messages. Please use labels and text to provide additional information. Per https://html.spec.whatwg.org/multipage/browsers.html#location-getprototypeof Location objects have a custom [[GetPrototypeOf]] trap. Per https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof if the [[Prototype]] chain that *would* be created by a mutation operation contains an object with a custom [[GetPrototypeOf]] trap, cycle detection is not performed. Therefore, it should be possible to create a [[Prototype]] chain cycle involving a Location object. But as the testcase demonstrates, v8/Blink don't treat Location as having such a custom trap. JSObject::SetPrototype's current implementation suggests v8 doesn't have any cycle non-detection for objects with custom [[GetPrototypeOf]]. I don't know what Blink does for Location objects, but it might need changes as well to deal with this.
,
Mar 23 2017
,
Jan 5 2018
,
Jan 5 2018
,
Feb 21 2018
I want to work on this issue. I am not able to open http://playground.whereswalden.com/cross-origin-location-window.html . Can anyone please add a test case to understand the issue in details. Thanks !
,
Jan 11
Setting defect without priority to Pri-2. |
||||
►
Sign in to add a comment |
||||
Comment 1 by adamk@chromium.org
, Apr 26 2016Components: Runtime Language
Status: Available (was: Untriaged)