W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

Re: [XHR] Constructor behavior seems to be underdefined

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 02 Apr 2012 18:18:10 -0400
Message-ID: <4F7A25A2.4000509@mit.edu>
To: Ian Hickson <ian@hixie.ch>
CC: Simon Pieters <simonp@opera.com>, Cameron McCormack <cam@mcc.id.au>, public-webapps@w3.org, "public-script-coord@w3.org" <public-script-coord@w3.org>
On 4/2/12 6:15 PM, Ian Hickson wrote:
> Interesting. When speccing this stuff years ago, I do not recall coming
> across any browser other than Opera that had any security checks on
> objects other than the few that the spec talks about.

For what it's worth, I believe Gecko does the checks today too, on some 
properties.  Just not all of them.  It's a bit ad-hoc, because there are 
multiple sets of DOM bindings involved, unfortunately.

> In general, unless there's a good security reason to do the checks, I
> think we'd be better off not doing them here. Having the checks can be
> expensive; it means at a minimum an extra pointer comparison and branch
> before each member access, which seems like a lot of expensive checking
> for something that really doesn't matter that much.

I agree; I'm going to run this by the security folks to see what they think.

Received on Monday, 2 April 2012 22:18:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:33 UTC