On Jul 16, 2009, at 5:58 PM, Ian Hickson wrote: > On Thu, 16 Jul 2009, Maciej Stachowiak wrote: >> On Jul 16, 2009, at 3:08 PM, Jonas Sicking wrote: >>> >>> I definitely agree you definitely don't want the inner windows >>> prototype values if it's a cross-origin window. What you should >>> get is >>> less clear to me. >>> >>> If you should get the outer windows prototype or some sort of blank >>> prototype. Personally it'd make the most sense to me if you got a >>> blank prototype since that seems like the most consistent behavior. >> >> Window itself is even more of a special case. What I had in mind is >> objects hanging off of Window that are accessible to a limited extent >> cross-origin, such as History, or Location, or the postMessage >> function. >> I don't think it would work to give those a blank prototype. And you >> can't just give them the prototype chain from their home window >> because >> that would be an XSS violation. > > HTML5 just says that new History, Location, etc, objects are created > for > each (inner) Window object. Is this not accurate? What do browsers do? Creating new ones on navigation is indeed correct, but a separate issue from making sure cross-origin cross-frame access to things like history.back() is safe for both parties. Regards, MaciejReceived on Friday, 17 July 2009 01:47:14 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:32 GMT