Re: WebIDL and prototype chains from Ian Hickson on 2009-08-08 (public-webapps@w3.org from July to September 2009)

From: Ian Hickson <ian@hixie.ch>
Date: Sat, 8 Aug 2009 00:51:46 +0000 (UTC)
To: Maciej Stachowiak <mjs@apple.com>
Cc: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0908080038390.6420@hixie.dreamhostps.com>

On Thu, 16 Jul 2009, Maciej Stachowiak wrote:
> On Jul 16, 2009, at 8:04 PM, Ian Hickson wrote:
> > On Thu, 16 Jul 2009, Maciej Stachowiak wrote:
> > > > 
> > > > HTML5 just says that new History, Location, etc, objects are 
> > > > created for each (inner) Window object. Is this not accurate? What 
> > > > do browsers do?
> > > 
> > > Creating new ones on navigation is indeed correct, but a separate 
> > > issue from making sure cross-origin cross-frame access to things 
> > > like history.back() is safe for both parties.
> > 
> > In HTML5, you can't access .history cross-domain, and you can't get to 
> > the prototype of the .location object (the only thing you can do to 
> > .location is set the .href member).
> > 
> > Are these restrictions Web-incompatible?
> 
> WebKit-based browsers allow cross-origin back(), forward() and go() on 
> History, and replace(), reload() and assign() on Location, in addition 
> to setting of href. I can't say definitively that all of those are 
> needed to be Web compatible. Firefox allows access to at least 
> location.replace() and history.back() cross-domain, and I would 
> tentatively guess at least these two are required for Web compatibility.

IE doesn't seem to allow history.back() cross-domain. I've made HTML5 
allow everything IE8 seems to allow.


> postMessage() (or, say, focus()) is another example of something that 
> needs to be accessible cross-origin, and I don't think you can fully 
> hide its prototype because call() and apply() should be usable on it, 
> for example.
>
> I haven't thought through exactly how this needs to work. The point is 
> mainly that anything accessible cross-origin probably can't just follow 
> the normal rules for building a prototype chain.

How should I address this for HTML5?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 8 August 2009 00:52:24 UTC