- From: Maciej Stachowiak <mjs@apple.com>
- Date: Thu, 16 Jul 2009 18:46:29 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Jul 16, 2009, at 5:58 PM, Ian Hickson wrote: > On Thu, 16 Jul 2009, Maciej Stachowiak wrote: >> On Jul 16, 2009, at 3:08 PM, Jonas Sicking wrote: >>> >>> I definitely agree you definitely don't want the inner windows >>> prototype values if it's a cross-origin window. What you should >>> get is >>> less clear to me. >>> >>> If you should get the outer windows prototype or some sort of blank >>> prototype. Personally it'd make the most sense to me if you got a >>> blank prototype since that seems like the most consistent behavior. >> >> Window itself is even more of a special case. What I had in mind is >> objects hanging off of Window that are accessible to a limited extent >> cross-origin, such as History, or Location, or the postMessage >> function. >> I don't think it would work to give those a blank prototype. And you >> can't just give them the prototype chain from their home window >> because >> that would be an XSS violation. > > HTML5 just says that new History, Location, etc, objects are created > for > each (inner) Window object. Is this not accurate? What do browsers do? Creating new ones on navigation is indeed correct, but a separate issue from making sure cross-origin cross-frame access to things like history.back() is safe for both parties. Regards, Maciej
Received on Friday, 17 July 2009 01:47:14 UTC