W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

Re: [whatwg] Location object identity and navigation behavior

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 19 Nov 2012 21:46:25 -0500
Message-ID: <50AAEF01.4000004@mit.edu>
To: Ian Hickson <ian@hixie.ch>
Cc: whatwg <whatwg@lists.whatwg.org>, Matt Wobensmith <mwobensmith@mozilla.com>, Johnny Stenback <jst@mozilla.com>, Bobby Holley <bobbyholley@gmail.com>, Adam Barth <w3c@adambarth.com>
On 11/19/12 8:38 PM, Ian Hickson wrote:
> For now I've tightened up the spec so it should be implementable, secure,
> and Web-compatible

I don't believe it's secure as currently written, actually.  Filed 
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20012

> I'm also curious as to why figuring out the "entry script"'s
> characteristics needs to use the stack introspection rather than just
> having an event-loop global "first script" variable

You can maintain a stack of entry scripts.  You can't use a global, 
because you need to push and pop entry scripts as various things happen 
(e.g. invoking event listeners sets the entry script to the event 
listener function's script for the duration of the event listener 
invocation).

There is no such stack of entry scripts in Gecko yet, but we're working 
on changing that.

The thing that _really_ requires stack introspection is when you need to 
look at the caller script instead of the entry script.  Which is what 
you need to do when performing Location security checks (or indeed, any 
security checks).

-Boris
Received on Tuesday, 20 November 2012 03:40:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT