W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: WebIDL and prototype chains

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 17 Jul 2009 00:58:48 +0000 (UTC)
To: Maciej Stachowiak <mjs@apple.com>
Cc: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0907170057400.12284@hixie.dreamhostps.com>
On Thu, 16 Jul 2009, Maciej Stachowiak wrote:
> On Jul 16, 2009, at 3:08 PM, Jonas Sicking wrote:
> > 
> > I definitely agree you definitely don't want the inner windows 
> > prototype values if it's a cross-origin window. What you should get is 
> > less clear to me.
> > 
> > If you should get the outer windows prototype or some sort of blank 
> > prototype. Personally it'd make the most sense to me if you got a 
> > blank prototype since that seems like the most consistent behavior.
> 
> Window itself is even more of a special case. What I had in mind is 
> objects hanging off of Window that are accessible to a limited extent 
> cross-origin, such as History, or Location, or the postMessage function. 
> I don't think it would work to give those a blank prototype. And you 
> can't just give them the prototype chain from their home window because 
> that would be an XSS violation.

HTML5 just says that new History, Location, etc, objects are created for 
each (inner) Window object. Is this not accurate? What do browsers do?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 17 July 2009 00:59:24 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:32 GMT