W3C home > Mailing lists > Public > public-script-coord@w3.org > July to September 2011

Window security policy

From: Geoffrey Sneddon <gsneddon@opera.com>
Date: Sun, 17 Jul 2011 21:25:12 +0100
Message-ID: <4E234528.5010100@opera.com>
To: "public-html@w3.org" <public-html@w3.org>, public-script-coord@w3.org
The current text here is: "User agents must raise a SECURITY_ERR 
exception whenever any properties of a Window object are accessed by 
scripts whose effective script origin is not the same as the Window 
object's Document's effective script origin, with the following exceptions…"

What is "a Window object"? The Window interface object? The Window 
interface prototype object? Objects implementing the Window interface? 
All three? I presume all three…

What are "any properties"? Properties defined on "a Window object"? 
Properties defined on anything in the prototype chain of "a Window 
object"? Internal properties on those two (obviously not all internal 
properties can throw, because, e.g., [[Get]] must still work for the 

What does Object.getPrototypeOf do given a cross-origin window object? 
Per ECMAScript 5.1 it would seem quite clear that is has to return the 
Window interface prototype object, but is this desirable? (__proto__ 
throws SECURITY_ERR, as is fairly obvious, but should accessing 
[[Prototype]] do so too?)

If Object.getPrototypeOf does return the Window interface prototype 
object, what happens with property accesses on that? What if you create 
an object with it as the prototype (with Object.create)? What if you 
access properties on that?

Geoffrey Sneddon — Opera Software
Received on Sunday, 17 July 2011 20:25:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:04 UTC