Make Location's toString() work and drop its toJSON()

I mistakenly copied all boilerplate from IDL’s unforgeable interfaces concept (which was only ever used for Location) and thereby turned the toString() fallback behavior into the actual behavior (or an exception arguably, as [[Configurable]] is false).

We also determined that only Firefox supports an unforgeable toJSON() and nobody really has a use for it, so that is dropped.

Tests: web-platform-tests/wpt#4623.

Fixes #2284.

Author: annevk

source

@@ -2882,8 +2882,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
          <dfn>@@toStringTag</dfn></li>
      <li><dfn data-x-href="https://tc39.github.io/ecma262/#sec-well-known-intrinsic-objects">Well-Known Intrinsic Objects</dfn>, including
          <dfn data-x-href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor">%ArrayBuffer%</dfn>,
-         <dfn data-x-href="https://tc39.github.io/ecma262/#sec-properties-of-the-array-prototype-object">%ArrayPrototype%</dfn>,
-         <dfn data-x-href="https://tc39.github.io/ecma262/#sec-object.prototype.tostring">%ObjProto_toString%</dfn>, and
+         <dfn data-x-href="https://tc39.github.io/ecma262/#sec-properties-of-the-array-prototype-object">%ArrayPrototype%</dfn>, and
          <dfn data-x-href="https://tc39.github.io/ecma262/#sec-object.prototype.valueof">%ObjProto_valueOf%</dfn></li>
 
      <li>The <dfn data-x="js-prod-FunctionBody" data-x-href="https://tc39.github.io/ecma262/#prod-FunctionBody"><i>FunctionBody</i></dfn> production</li>
@@ -80539,18 +80538,6 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
    <li><p>Let <var>location</var> be a new <code>Location</code> <span>platform
    object</span>.</p></li>
 
-   <li><p>Perform ! <var>location</var>.[[DefineOwnProperty]]("<code data-x="">toString</code>", {
-   [[Value]]: <span>%ObjProto_toString%</span>,
-   [[Writable]]: false,
-   [[Enumerable]]: false,
-   [[Configurable]]: false }).</p></li>
-
-   <li><p>Perform ! <var>location</var>.[[DefineOwnProperty]]("<code data-x="">toJSON</code>", {
-   [[Value]]: undefined,
-   [[Writable]]: false,
-   [[Enumerable]]: false,
-   [[Configurable]]: false }).</p></li>
-
    <li><p>Perform ! <var>location</var>.[[DefineOwnProperty]]("<code data-x="">valueOf</code>", {
    [[Value]]: <span>%ObjProto_valueOf%</span>,
    [[Writable]]: false,
@@ -80569,6 +80556,16 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
    <li><p>Return <var>location</var>.</p></li>
   </ol>
 
+  <p class="note">The addition of <code data-x="">valueOf</code> and <span>@@toPrimitive</span> own
+  data properties, as well as the fact that all of <code>Location</code>'s IDL attributes are marked
+  <code data-x="">[Unforgeable]</code>, is required by legacy code that consulted the
+  <code>Location</code> interface, or stringified it, to determine the <span
+  data-x="concept-document-url">document URL</span>, and then used it in a security-sensitive way.
+  In particular, the <code data-x="">valueOf</code>, <span>@@toPrimitive</span>, and <code
+  data-x="">[Unforgeable]</code> stringifier mitigations ensure that code such as <code
+  data-x="">foo[location] = bar</code> or <code data-x="">location + ""</code> cannot be
+  misdirected.</p>
+
   </div>
 
   <dl class="domintro">
@@ -80605,7 +80602,7 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
   <span>current entry</span> of the <span>browsing context</span>'s session history to be changed,
   by adding or replacing entries in the <code data-x="dom-history">history</code> object.</p>
 
-  <pre class="idl">interface <dfn>Location</dfn> {
+  <pre class="idl">interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface">additional creation steps</a> and <a href="#location-internal-methods">overridden internal methods</a>
   [Unforgeable] stringifier attribute USVString <span data-x="dom-location-href">href</span>;
   [Unforgeable] readonly attribute USVString <span data-x="dom-location-origin">origin</span>;
   [Unforgeable] attribute USVString <span data-x="dom-location-protocol">protocol</span>;
@@ -81269,9 +81266,9 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
 
   <hr>
 
-  <p>As explained earlier, the <code>Location</code> exotic object requires additional logic beyond
-  IDL for security purposes. The internal slot and internal methods <code>Location</code> objects
-  must implement are defined below.</p>
+  <p id="location-internal-methods">As explained earlier, the <code>Location</code> exotic object
+  requires additional logic beyond IDL for security purposes. The internal slot and internal methods
+  <code>Location</code> objects must implement are defined below.</p>
 
   <p>Every <code>Location</code> object has a <dfn>[[DefaultProperties]]</dfn> internal slot
   representing its own properties at time of its creation.</p>
@@ -119246,6 +119243,7 @@ INSERT INTERFACES HERE
   Ami Fischman,
   Amos Jeffries,
   Anders Carlsson,
+  André Bargull,
   Andr&eacute; E. Veltstra,
   Andrea Rendine,
   Andreas<!-- mqmq87 -->,