W3C home > Mailing lists > Public > www-dom@w3.org > October to December 2012

Re: [dom] Need to describe the interaction of adoptNode with prototype chains

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sun, 23 Dec 2012 10:09:29 +0100
Message-ID: <CADnb78gs8XQBHRxH8aBuRyoh15Y=9354dBZyjXyo-ddU=W9CFg@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: www-dom@w3.org
On Sat, Dec 22, 2012 at 8:12 PM, Boris Zbarsky <bzbarsky@mit.edu>
> 2)  If a script adopts a node from a subframe and then unloads the subframe
> or removes it from the DOM, remembering the proto means you leak the entire
> global object _and_ the entire DOM of the subframe, because HTMLElement is
> reachable from the adopted node (via .__proto__ and .constructor) and then
> you can call "new HTMLElement" from the now-unloaded subframe Window and now
> you have a node whose ownerDocument is the document that was in the subframe
> and you can reach its DOM, so the the UA has to keep all that stuff alive or
> has to make some of this stuff not work or something.  That seems like a
> pretty serious footgun to me.

What happens with document.open()? Does that replace the proto as well?

How do I go about defining replacing the proto of an element? Are
there any other places where this happens in the platform? Is the
right place in DOM or should IDL provide a hook for it?

(Given your point I think Gecko's design is the way to go.)


-- 
http://annevankesteren.nl/
Received on Sunday, 23 December 2012 09:09:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 23 December 2012 09:10:01 GMT