W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2009

[whatwg] Methods defined for one document called after that document is no longer the one being displayed

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 31 Jan 2009 22:09:22 -0500
Message-ID: <49851262.8060300@mit.edu>
Ian Hickson wrote:
> I haven't mentioned the 'this' behavior, so right now |this !=== window|, 
> which breaks the invariant that there is no way to actually get hold of a 
> reference to the Window object itself (as opposed to the outer WindowProxy 
> object that forwards to the inner Window object). This requirement would 
> be a violation of ECMAScript 3.1, so if we could get that changed in 
> ES3.1, that would be great. Failing that, it should probably be in the 
> WebIDL JavaScript binding section.

As I recall, in Gecko the keyword |this| evaluates to the outer window. 
  I'm not sure what happens to the implicit |this| that's computed when 
defining a global function, say.

The reason for this setup was precisely to prevent script from getting a 
handle to the inner Window.  Since we do security checks for cross-site 
scripting in the outer Window, any ability to pass inner Windows 
cross-site would be an automatic security hole.

The setup as it exists right now allows scripts that run within a single 
window and never explicitly touch Window objects to not have to perform 
security checks on every property access.

You might want to double-check with Blake Kaplan, Brendan Eich, or 
Johnny Stenback on the above, as well as on how this fits in with 
ECMAScript 3.1.  I seem to recall something about that going by in the 
bugs when this was being worked on, but Brendan is more likely to recall 
the details than I am to be able to find them...

-Boris
Received on Saturday, 31 January 2009 19:09:22 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:09 UTC