W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: WebIDL and prototype chains

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 16 Jul 2009 18:46:29 -0700
Cc: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-id: <73B08E75-D34F-4364-8E4A-32BAF7381AAF@apple.com>
To: Ian Hickson <ian@hixie.ch>

On Jul 16, 2009, at 5:58 PM, Ian Hickson wrote:

> On Thu, 16 Jul 2009, Maciej Stachowiak wrote:
>> On Jul 16, 2009, at 3:08 PM, Jonas Sicking wrote:
>>> I definitely agree you definitely don't want the inner windows
>>> prototype values if it's a cross-origin window. What you should  
>>> get is
>>> less clear to me.
>>> If you should get the outer windows prototype or some sort of blank
>>> prototype. Personally it'd make the most sense to me if you got a
>>> blank prototype since that seems like the most consistent behavior.
>> Window itself is even more of a special case. What I had in mind is
>> objects hanging off of Window that are accessible to a limited extent
>> cross-origin, such as History, or Location, or the postMessage  
>> function.
>> I don't think it would work to give those a blank prototype. And you
>> can't just give them the prototype chain from their home window  
>> because
>> that would be an XSS violation.
> HTML5 just says that new History, Location, etc, objects are created  
> for
> each (inner) Window object. Is this not accurate? What do browsers do?

Creating new ones on navigation is indeed correct, but a separate  
issue from making sure cross-origin cross-frame access to things like  
history.back() is safe for both parties.

Received on Friday, 17 July 2009 01:47:14 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:17 UTC