W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

Re: [whatwg] Location object identity and navigation behavior

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 9 Nov 2012 12:17:59 -0800
Message-ID: <CAJE5ia8p7gLuYwj9BjaDGNWgZecw=ymYGVmsf9akhLJaZAOONA@mail.gmail.com>
To: Bobby Holley <bobbyholley@gmail.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Matt Wobensmith <mwobensmith@mozilla.com>, Boris Zbarsky <bzbarsky@mit.edu>, Johnny Stenback <jst@mozilla.com>
On Fri, Nov 9, 2012 at 12:06 PM, Bobby Holley <bobbyholley@gmail.com> wrote:
> On Fri, Nov 9, 2012 at 11:33 AM, Adam Barth <w3c@adambarth.com> wrote:
>> > That was my opinion for a while, too, but I eventually decided it was
>> > necessary in Gecko.
>>
>> Can you explain why you think it is necessary?  In WebKit, the
>> WindowProxy is the only object that has this magic.
>
> As noted, the Location object is the only object whose security
> characteristics don't match its scope. This requires a lot of extra goop in
> our compartment-based security model, and the goop is brittle (recently
> forcing us to release two out-of-band updates, 16.0.1 and 16.0.2). We've got
> enough belt-and-suspenders code now that I'm not particularly worried, but I
> still want to make Location just like any other object from a security
> perspective.
>
> If UAs were consistent or the spec matched reality, this would be a
> different story. But given that we probably need to change the spec to
> either the Trident/Presto model or the Gecko/WebKit model, I support the
> former, because we've historically had problems implementing the latter
> securely. Do you feel that it would be difficult to implement the former
> securely in WebKit?

That depends on the questions I asked earlier.

> Also, FWIW, from the perspective of an average web-developer, IMO it makes
> much more semantic sense to have one Location per WindowProxy if the
> Location object describes the WindowProxy. But I doubt many people touch
> this stuff in practice.

I don't think the average web developer will hit this case because it
depends on interacting with the Location object in an inactive
document.

>> We don't want to move objects between scopes.  That causes many
>> security complications that we don't want to deal with.
>
> Are you able to just update references, like you do with WindowProxy?

That's the magic I don't want to proliferate.

> That's
> essentially what we're doing. We actually create a new object in the new
> scope and update all the old references to point to it.
>
>> Can you answer the questions in my previous email?
>
> Which ones? AFAICT Boris answered all of them except for the testcase thing
> (which I answered). Did I miss some?

Maybe I didn't receive your email.  I gave some example code and asked
which values were printed:

---8<---
Consider the following case:

== Document A ==
<script>
Object.prototype.foo = "A1";
window.location.bar = "A2";

function f() {
  var loc = window.location;
  print(loc.foo); // print is a magic function that lets me see this value
  print(loc.bar);
}
</script>

== Document B ==
<script>
Object.prototype.foo = "B1";
window.location.bar = "B2";
</script>

1) Document A is displayed in browsing context X.
2) Browsing context X is navigated and now displays document B.
3) Function f is called.

What values are printed?
--->8---

Adam
Received on Friday, 9 November 2012 20:34:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT