W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2013

Re: [whatwg] Window and WindowProxy

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 7 Aug 2013 21:18:24 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Message-ID: <alpine.DEB.2.00.1308072112450.27623@ps20323.dreamhostps.com>
Cc: whatwg@lists.whatwg.org
On Tue, 6 Aug 2013, Boris Zbarsky wrote:
> 
> There are two somewhat-orthogonal concerns here:
> 
> 1)  Where do the security checks live?
> 2)  Where do the indexed properties live?

Oh, interesting. I hadn't considered moving the indexed properties, only 
moving the security checks.

We could indeed move the indexed properties to WindowProxy, while leaving 
the security checks (which apply to non-indexed properties only) on 
Window. This would still address my concern, which is that if we move the 
security checks to WindowProxy, and then break the invariant whereby you 
can't actually get to a cross-origin Window directly, you would suddenly 
have a security hole. Would it address your concerns? (I'm not sure I 100% 
understand what those are yet, i.e. why you want this moved.)

The difficulty with moving just the indexed properties are that "length" 
would now be on a different object than what it describes. Also, it would 
complicate the WindowProxy magic -- now, instead of it just being a proxy, 
it would be a proxy except for certain properties.

Can you elaborate on what the problem is with the current approach?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 7 August 2013 21:18:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:23 UTC