The page loads the same in every browser. The bug shows up in one of them, and never where I’m looking.
An iframe on the page needs to know where its parent lives – the URL in the top window. Different origin, so the same-origin policy is in play and the browser is allowed to refuse. I expect it to refuse. I wrote the code expecting it:
try {
var url = window.top.location.href;
useIt(url);
} catch (e) {
fallBack();
}
In Firefox this does exactly what I planned. Reaching across origins for location.href throws – Permission denied to get property Location.href – the catch fires, fallBack() runs, the page copes. IE throws too. The spec, as I read it, says it should.
Then I open it in Chrome, and fallBack() never runs.
WebKit doesn’t throw. It hands back undefined and lets the next line run as if nothing happened. useIt(undefined), and now I’m three functions downstream debugging a value the browser was supposed to refuse me. The catch I wrote for exactly this case never had anything to catch.
I can see the thinking behind it. A throw kills everything after it; a programmer who never wrapped the access gets a dead page and a console error they don’t understand. Handing back undefined keeps the page alive. It’s the kinder default – for the person who wrote the careless version. It punishes the person who wrote the careful one, because the careful version is built on the throw that doesn’t come.
The same-origin policy is identical in both browsers. The way it says no is not. One denies me with an exception, the other with a value, and a value doesn’t trip a catch. So I keep the catch for the browsers that throw, and stop trusting it to be the whole story:
var url;
try { url = window.top.location.href; } catch (e) {}
if (typeof url === 'string') { useIt(url); } else { fallBack(); }
The try still guards the throwers. The check handles the browser that refused without telling me. It’s what I should have written first.
An exception is the browser saying no out loud. undefined is the browser saying no and hoping I don’t check.