- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 29 Mar 2011 18:58:25 -0700
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: Brandon Sterne <bsterne@mozilla.com>, gaz Heyes <gazheyes@gmail.com>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On Tue, Mar 29, 2011 at 6:29 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 3/29/11 9:19 PM, Adam Barth wrote:
>>
>> WebKit seems to distinguish between callable and non-callable.
>> Non-callables get coerced to strings, which then get compiled as
>> script source code, which is what we'd like to avoid.
>
> Indeed. Gecko, if I read the code right, basically does this:
>
> if (typeof(arguments[0]) == "function") {
> // Do the function thing
> } else if (typeof(arguments[0]) == "string" ||
> typeof(arguments[0]) == "object") {
> // Do the string thing
> } else {
> // Throw an exception
> }
>
> From what I understand, the typeof check there is not quite equivalent to
> checking for callability...
WebKit literally checks for callable:
http://trac.webkit.org/browser/trunk/Source/WebCore/bindings/js/ScheduledAction.cpp#L53
Anyway, that's something for HTML5 or WebIDL to define. What's
important for our purposes is that there's a branch there and we need
to block on side of the branch but not the other (as in
https://bugs.webkit.org/attachment.cgi?id=87220&action=prettypatch)
Adam
Received on Wednesday, 30 March 2011 01:59:29 UTC