Re: resolving references when object from other security context is in scope from Hallvord Reiar Michaelsen Steen on 2013-06-07 (public-script-coord@w3.org from April to June 2013)

From: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>
Date: Fri, 07 Jun 2013 14:05:48 +0200
To: public-script-coord@w3.org
Message-ID: <1e7f94edd6b4b3134aab92772e96ed72@opera.com>

> Also, defining new variables in the with block that previously exist  
> neither in the global scope nor in the IFRAME's shows inconsistency across  
> browsers:
> 
> with(iframe.contentWindow){
>      previouslyUndefinedVariable='test';
> }
> 
> Those browsers that throw for the second sample above also throw for this.  
> (This does seem a bit concerning because in those browsers this can be  

> used to spy on what *names* another site has defined in its JS.


Just to clarify this, I didn't proof read enough before sending: it's the browsers that *do not* throw for the second sample above and allow defining new variables in the parent scope if they don't exist in the other origin scope I'm concerned about..

-- 
Hallvord R. M. Steen
Core tester, Opera Software

Received on Friday, 7 June 2013 12:06:14 UTC