Re: Window security policy

On 18/07/11 04:41, Boris Zbarsky wrote:
> On 7/17/11 4:25 PM, Geoffrey Sneddon wrote:
>> What does Object.getPrototypeOf do given a cross-origin window object?
> This is an excellent question. In Gecko's current implementation it
> returns a proxy (which implements the security membrane and wraps the
> actual cross-origin prototype object. Accessing properties on this
> object then throws from the proxy.
> But I can see the argument for making it throw too. Not sure how best to
> spec that if that's desired.

My understanding is that WebKit just returns undefined here, as if there 
was no prototype.

Our current implementation follows WebKit (primarily because of 
implementation simplicity), but that can trivially be changed to 
throwing, which on the whole I think would be the nicest solution if it 
weren't for the apparent inconsistency it would introduce (and therefore 
spec complexity).

We, in the short-term, have limited options seeming we don't actually 
have a Window interface prototype object (we implement the Window object 
with everything on the window object itself, whose [[Prototype]] is the 
Object prototype object).

>> What if you create an object with it as the prototype (with
>> Object.create)?
> In Gecko this seems to succeed. But again, good question.
>> What if you access properties on that?
> Needs to throw, if you can get that far. In my opinion.

On the whole it'd seem easiest if we could avoid it being possible to 
get this far, as having an object that always throws every time you 
touch it is rather useless.

There again, creating an object with it as the prototype probably isn't 
that bad, as any property access should be throwing anyway, but it does 
just open up extra possible attack surface for no reason, which seems bad.

Geoffrey Sneddon  Opera Software

Received on Monday, 18 July 2011 13:32:47 UTC