Accessing an invalid property on a cross-origin window does not result in a SecurityError

[srujzs]

Opening a window with a different origin using JS interop (using JSAny? to avoid any type checks) and then trying to access a property that is invalid e.g. devicePixelRatio succeeds.

Running the following with dart test test/helpers_test.dart -p chrome:

@TestOn('browser')
library;

import 'dart:js_interop';

import 'package:test/test.dart';

@JS()
external JSAny? get window;

void main() {
  test('test', () {
    final w = window.open('https://www.google.com');
    if (w == null) throw Exception();
    w.devicePixelRatio;
  });
}

extension on JSAny? {
  external JSAny? open(String url);
  external int devicePixelRatio;
}

The resulting JS looks like:

      var w = self.window.open("https://www.google.com");
      if (w == null)
        throw A.wrapException(A.Exception_Exception(null));
      A._asInt(w.devicePixelRatio);

However, if I add --pause-after-load and add a breakpoint to if (w == null) and then run w.devicePixelRatio in the console, this correctly results in a SecurityError. Similarly, if I single-step, it correctly throws the error.

I can't quite tell why this is the case. It doesn't look like package:test uses any of the headers to allow such access. It could also be that we need to actually enable same-origin policy for this (I know it's not enabled for script tags, but maybe it's not enabled for other relevant scenarios by default) and single-stepping/console execution always respects same-origin policy. The tests being run in an iframe also shouldn't allow this afaict.

This came up when trying to add some wrappers in package:web to allow cross-origin access to approved properties: dart-lang/web#291. While the test in that PR passes, I can't tell if it's really doing the right thing or we're just silently ignoring any SecurityErrors because of this bug. I had to single-step to verify.

Fixing this might make a few tests across the ecosystem fail due to new SecurityErrors.