- From: Travis Leithead <travis.leithead@microsoft.com>
- Date: Tue, 18 Nov 2014 00:33:53 +0000
- To: "public-script-coord@w3.org" <public-script-coord@w3.org>
Received on Tuesday, 18 November 2014 00:34:23 UTC
FWIW: In IE, we always have two Realms to use at runtime when a DOM method needs to create objects: the caller's realm (from the current call-chain provided by the script engine) and the 'this' object's Realm. Our design is fairly straightforward: if we are creating DOM objects we almost always use the 'this' object's Realm. (So depending on however you managed in invoke createElement, it's the actual document instance that defines the Realm to use for the new HTMLElement's prototype.) When we return native JS types (strings, numbers, arrays, functions, etc.) we use the caller's Realm to create them. The caller's realm allows us to securely wrap some objects/native types when passed between domains; e.g., exposing types from the wrong Realm cross-domain is a security hole; window and location proxies are special here). An interesting case-study are methods that return sequences, e.g., Web Messaging's 'ports' property comes to mind.
Received on Tuesday, 18 November 2014 00:34:23 UTC