[whatwg] "first script" and impersonating other pages - pushState(url) from Mike Wilson on 2009-08-31 (public-whatwg-archive@w3.org from August 2009)

From: Mike Wilson <mikewse@hotmail.com>
Date: Mon, 31 Aug 2009 15:44:45 +0200
Message-ID: <010e01ca2a41$342262b0$0a01a8c0@mikedeskxp>

Ian Hickson wrote:
> 
> On Fri, 21 Aug 2009, Mike Wilson wrote:
> >
> > I'm currently wrapping my head around the notion of 
> > "first script" in the spec [1]. It's description is 
> > a bit terse and the subject seems non-trivial, so 
> > maybe the text could be fleshed out some?
> > 
> > Section 6.1.5 "Groupings of browsing contexts" 
> > says:
> > | Each unit of related similar-origin browsing 
> > | contexts can have a first script which is used to 
> > | obtain, amongst other things, the script's base 
> > | URL to resolve relative URLs used in scripts 
> > | running in that unit of related similar-origin 
> > | browsing contexts. Initially, there is no first 
> > | script.
> > 
> > Does this implicitly say that this set of browsing 
> > contexts should never execute script in parallel?
> 
> No, that is implied by the event loop mechanism.
> 
>    http://www.whatwg.org/specs/web-apps/current-work/#event-loops

Ah thanks, that made it clear. 6.1.5 might get a little
easier to understand if some text mentioned the shared 
event loop for this set of browsing contexts, or linked 
to 6.5.4.

> >   /pages/page1.html:
> >     <script src="/scripts/script1.js">
> > *1  <button onclick="func1();">
> > 
> >   /scripts/script1.js:
> >     function func1() { ... }
> > *2  func1();
> > 
> > What is regarded as *first script* in these two 
> > calls to func1() ?
> > *1: the implicitly generated event handler wrapper 
> >     in /pages/page1.html ?
> > *2: /scripts/script1.js
> 
> Yes.
> 
> > [...]
> > Imagine that I want my loaded page:
> >   /pages/section1/thing1
> > be able to impersonate:
> >   /pages/section2/thing2
> > how do you envision this to be structured? 
> > 
> > Something like this? :
> > 
> >   /pages/section1/thing1:
> >     <script src="/pages/script.js">
> >     <button onclick="impersonate();">
> > 
> >   /pages/script.js:
> >     function impersonate() {
> >       ...pushState(..., "/pages/section2/thing2");
> >     }
> 
> That would do it, yes.

Per *1 in the first example, wouldn't the first script
(corresponding to the button click) be the implicitly 
generated event handler in:
  /pages/section1/thing1
with a basedir of
  /pages/section1
thereby making the call to:
  ...pushState(..., "/pages/section2/thing2");
throw SECURITY_ERR in step 2.2 of the pushState
algorithm?

Best regards
Mike

Received on Monday, 31 August 2009 06:44:45 UTC