- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 9 Nov 2012 12:17:59 -0800
- To: Bobby Holley <bobbyholley@gmail.com>
- Cc: whatwg <whatwg@lists.whatwg.org>, Matt Wobensmith <mwobensmith@mozilla.com>, Boris Zbarsky <bzbarsky@mit.edu>, Johnny Stenback <jst@mozilla.com>
On Fri, Nov 9, 2012 at 12:06 PM, Bobby Holley <bobbyholley@gmail.com> wrote:
> On Fri, Nov 9, 2012 at 11:33 AM, Adam Barth <w3c@adambarth.com> wrote:
>> > That was my opinion for a while, too, but I eventually decided it was
>> > necessary in Gecko.
>>
>> Can you explain why you think it is necessary? In WebKit, the
>> WindowProxy is the only object that has this magic.
>
> As noted, the Location object is the only object whose security
> characteristics don't match its scope. This requires a lot of extra goop in
> our compartment-based security model, and the goop is brittle (recently
> forcing us to release two out-of-band updates, 16.0.1 and 16.0.2). We've got
> enough belt-and-suspenders code now that I'm not particularly worried, but I
> still want to make Location just like any other object from a security
> perspective.
>
> If UAs were consistent or the spec matched reality, this would be a
> different story. But given that we probably need to change the spec to
> either the Trident/Presto model or the Gecko/WebKit model, I support the
> former, because we've historically had problems implementing the latter
> securely. Do you feel that it would be difficult to implement the former
> securely in WebKit?
That depends on the questions I asked earlier.
> Also, FWIW, from the perspective of an average web-developer, IMO it makes
> much more semantic sense to have one Location per WindowProxy if the
> Location object describes the WindowProxy. But I doubt many people touch
> this stuff in practice.
I don't think the average web developer will hit this case because it
depends on interacting with the Location object in an inactive
document.
>> We don't want to move objects between scopes. That causes many
>> security complications that we don't want to deal with.
>
> Are you able to just update references, like you do with WindowProxy?
That's the magic I don't want to proliferate.
> That's
> essentially what we're doing. We actually create a new object in the new
> scope and update all the old references to point to it.
>
>> Can you answer the questions in my previous email?
>
> Which ones? AFAICT Boris answered all of them except for the testcase thing
> (which I answered). Did I miss some?
Maybe I didn't receive your email. I gave some example code and asked
which values were printed:
---8<---
Consider the following case:
== Document A ==
<script>
Object.prototype.foo = "A1";
window.location.bar = "A2";
function f() {
var loc = window.location;
print(loc.foo); // print is a magic function that lets me see this value
print(loc.bar);
}
</script>
== Document B ==
<script>
Object.prototype.foo = "B1";
window.location.bar = "B2";
</script>
1) Document A is displayed in browsing context X.
2) Browsing context X is navigated and now displays document B.
3) Function f is called.
What values are printed?
--->8---
Adam
Received on Friday, 9 November 2012 20:34:50 UTC