- From: Ilya Grigorik <igrigorik@google.com>
- Date: Tue, 9 Jun 2015 13:50:36 -0700
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: Justin Rogers <justrog@microsoft.com>, Jonas Sicking <jonas@sicking.cc>, "public-web-perf@w3.org" <public-web-perf@w3.org>, Przemysław Pietrzkiewicz <ppi@google.com>
- Message-ID: <CADXXVKrS+aqQo5Z2+MZxkQZkCrGyCG4ve_V01Q6bT9rAZ9=49g@mail.gmail.com>
This may be a tangent, but to followup on Todd's question on GH about main doc and iframes [1].. > The main document and the iframe can somewhat reason about each other even without the worker by comparing navigationStart times, I think. Yes, but this requires a roundtrip, which is the same problem we're trying to solve for workers? Would it make sense to expand the scope of this discussion to a method that can accept both worker and window objects to compute their respective startTime's? ig [1] https://github.com/w3c/hr-time/pull/6#issuecomment-109493421 On Mon, Jun 8, 2015 at 1:01 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 6/8/15 2:45 PM, Justin Rogers wrote: > >> For comparison, the few methods/properties that are cross domain on >> window we represent as [msDoNotCheckDomainSecurity]. >> > > Yes, Gecko has something similar. In spec terms right now, this is all > defined in prose in the HTML spec, which is actually rather suboptimal. > > (whereas on a parameter it means don't check anything and just store it). >> >> Currently, event constructors and event init methods seem to be the >> lion's share of things that take a Window for the viewArg. >> > > So that's an interesting discussion. See > https://www.w3.org/Bugs/Public/show_bug.cgi?id=27128 > > In particular, MessageEvent is defined in the HTML spec as taking > WindowProxy, not Window and just stores the object. > > It might make some sense to me to just use _that_ as the differentiator: a > WindowProxy arg is just stored and must not be touched without a security > check later, while a Window arg gets security-checked and can then be used > for stuff. > > The other semi-interesting case is Location, of course; I don't know what > the situation is for that one right now and it doesn't have the convenient > WindowProxy thing... but security checks for Location are pretty weird > too. https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701 is relevant > here and has been for a while. :( > > I suspect those would have to be upgraded to [AllowCrossOrigin] since >> there are likely no restrictions today. >> > > Actually, Gecko will throw a security exception right now if you pass in a > cross-origin viewArg to an event constructor. > > Note: This was a tiny canvasing, I didn't account for object or any types >> to see if there would be an "additional" security check needed for those >> cases. >> > > Object or any would just get stored as-is (storing the WindowProxy). Then > if you ever try to get a Window out of it later whoever does that should > security-check imo. > > -Boris >
Received on Tuesday, 9 June 2015 20:51:51 UTC