- From: Boris Zbarsky <notifications@github.com>
- Date: Thu, 08 Dec 2016 10:22:39 -0800
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
- Message-ID: <w3c/browser-payment-api/issues/361/265814366@github.com>
The WebSocket testcase isn't quite right. You want this one: http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=4721 Note that that one does not throw in Chrome. It does throw in Gecko, but a non-spec exception, because per websocket spec this situation should _not_ throw for websocket. Maybe that's a flaw in the websocket spec; hard to tell. I would think there is, because nothing obviously shuts down that websocket connection if it gets established! I filed https://github.com/whatwg/html/issues/2153 on this. But note that websocket doesn't seem to rely in any way on the active document of the browsing context of its global or anything like that, and there's no real spoofing risk there either. So at least it's not a security issue. > However I can't find where in WebIDL it says to "perform a security check" for constructors Perform a security check against what object, exactly? > Is each constructor algorithm expected to do a security check I don't think it's a matter of security checks at all. It's a matter of active document checks. And yes, constructors should perform those themselves, because some constructors may be perfectly fine to call in inactive documents, if we think it's ok to do anything at all in inactive documents. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/browser-payment-api/issues/361#issuecomment-265814366
Received on Thursday, 8 December 2016 18:23:39 UTC