- From: <bugzilla@jessica.w3.org>
- Date: Wed, 24 Jul 2013 17:30:23 +0000
- To: public-script-coord@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=22346
Ian 'Hixie' Hickson <ian@hixie.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ian@hixie.ch
--- Comment #7 from Ian 'Hixie' Hickson <ian@hixie.ch> ---
I don't think this should apply to every object (note: bz contends otherwise,
understandably, because doing it everywhere is good defense in depth — but
currently, only Gecko does it everywhere, and unless the other browser vendors
are willing to change their security model to check this on every operation,
I'd rather not require it, since then we wouldn't match the majority of
reality).
Also, note that it's not all properties that are blocked; Window and Location
in particular allow some but disallow others.
I think the way to do this that most closely matches what most browsers do
would be to have a hook in the algorithms for methods, getters, and setters,
that checks if this particular object is a "secured object", and if it is,
invokes some hook that returns "ok" or "fail". Then, in HTML, I define the hook
as being what the spec says now for properties on these objects (Window, and
Location, primarily, but also Document - always "fail" if the origin is
different - and Storage).
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Wednesday, 24 July 2013 17:30:26 UTC