[Bug 22346] Security: When invoking a method, getter, or setter on an object using the property descriptor of another, we need to do a security check from bugzilla@jessica.w3.org on 2013-07-24 (public-webapps-bugzilla@w3.org from July 2013)

From: <bugzilla@jessica.w3.org>
Date: Wed, 24 Jul 2013 04:25:15 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-22346-2532-03XpxixpWp@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=22346

--- Comment #5 from Boris Zbarsky <bzbarsky@mit.edu> ---
> Is there ever a case when the global doesn't have a corresponding Document?  

Workers?  I suspect in practice in cases when origins can mix the answer is no.
 But it shouldn't matter, because...

> Can I just follow the chain of

No, once you've landed at the browsing context you lose.  In particular, I
should not be able to get my hands on a cross-origin object, then navigate the
browsing context its global is associated with to some page I'm same-origin
with and then access the object!

Luckily, that's not needed: we just need to define the origins of globals and
be done with it.

>            WindowProxy object that is the global [HTML] ->

The global is a Window, not a WindowProxy.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 24 July 2013 04:25:16 UTC