[whatwg] "first script" and impersonating other pages - pushState(url)

On Mon, 31 Aug 2009, Mike Wilson wrote:
> Ian Hickson wrote:
> > On Fri, 21 Aug 2009, Mike Wilson wrote:
> > >
> > > I'm currently wrapping my head around the notion of 
> > > "first script" in the spec [1]. It's description is 
> > > a bit terse and the subject seems non-trivial, so 
> > > maybe the text could be fleshed out some?
> > > 
> > > Section 6.1.5 "Groupings of browsing contexts" 
> > > says:
> > > | Each unit of related similar-origin browsing 
> > > | contexts can have a first script which is used to 
> > > | obtain, amongst other things, the script's base 
> > > | URL to resolve relative URLs used in scripts 
> > > | running in that unit of related similar-origin 
> > > | browsing contexts. Initially, there is no first 
> > > | script.
> > > 
> > > Does this implicitly say that this set of browsing 
> > > contexts should never execute script in parallel?
> > 
> > No, that is implied by the event loop mechanism.
> > 
> >    http://www.whatwg.org/specs/web-apps/current-work/#event-loops
> 
> Ah thanks, that made it clear. 6.1.5 might get a little easier to 
> understand if some text mentioned the shared event loop for this set of 
> browsing contexts, or linked to 6.5.4.

Done.


> > >   /pages/page1.html:
> > >     <script src="/scripts/script1.js">
> > > *1  <button onclick="func1();">
> > > 
> > >   /scripts/script1.js:
> > >     function func1() { ... }
> > > *2  func1();
> > > 
> > > What is regarded as *first script* in these two 
> > > calls to func1() ?
> > > *1: the implicitly generated event handler wrapper 
> > >     in /pages/page1.html ?
> > > *2: /scripts/script1.js
> > 
> > Yes.
> > 
> > > [...]
> > > Imagine that I want my loaded page:
> > >   /pages/section1/thing1
> > > be able to impersonate:
> > >   /pages/section2/thing2
> > > how do you envision this to be structured? 
> > > 
> > > Something like this? :
> > > 
> > >   /pages/section1/thing1:
> > >     <script src="/pages/script.js">
> > >     <button onclick="impersonate();">
> > > 
> > >   /pages/script.js:
> > >     function impersonate() {
> > >       ...pushState(..., "/pages/section2/thing2");
> > >     }
> > 
> > That would do it, yes.
> 
> Per *1 in the first example, wouldn't the first script
> (corresponding to the button click) be the implicitly 
> generated event handler in:
>   /pages/section1/thing1
> with a basedir of
>   /pages/section1
> thereby making the call to:
>   ...pushState(..., "/pages/section2/thing2");
> throw SECURITY_ERR in step 2.2 of the pushState
> algorithm?

No, why?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 3 September 2009 05:27:29 UTC