- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 16 Oct 2015 11:16:20 +0200
- To: Bobby Holley <bholley@mozilla.com>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, Domenic Denicola <d@domenic.me>, Cameron McCormack <cam@mcc.id.au>, www-archive <www-archive@w3.org>
On Tue, Oct 13, 2015 at 7:21 PM, Bobby Holley <bholley@mozilla.com> wrote: > To be clear, there's no concept of 'wrapping' in the cross-origin spec. > Instead, the spec talks about 'minting' a fresh per-origin object to > represent a 'concept' (Window or Location). I don't understand how we can mint fresh objects yet also expect those objects to === each other if they proxy the same underlying object/concept. > That was mostly outside the scope of the cross-origin object summit, IIRC. > We defined things in terms of Window, not WindowProxy, and assumed that > WindowProxy would do its magic and forward somehow. Note that WindowProxy is > another one of those access points that might give you a reference > (implicitly) to a cross-origin object. Since WindowProxy is the object that is exposed to JavaScript wouldn't it be better to handle all the security logic there? And similarly redefine Location somehow to also handle all the security logic? https://bugzilla.mozilla.org/show_bug.cgi?id=1214375 suggests that separating between same-origin and cross-origin objects is not necessarily helpful. -- https://annevankesteren.nl/
Received on Friday, 16 October 2015 09:16:47 UTC