- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 04 Mar 2011 20:49:03 -0500
On 3/4/11 7:08 PM, Ian Hickson wrote: > Could you elaborate on the security reasons? The primary one is that there there are Gecko-internal security settings that are supposed to apply to "this browsing context and all descendant browsing contexts". Right now this is handled by traversing a parent chain that has to be broken when the node is removed from the document. To avoid giving the node's contentWindow permissions it shouldn't have, we then make sure script can't run in it, by the simple expedient of tearing down the browsing context... It's possible to switch these relevant checks to walk the ownerDocument chain instead, say. Then we need to audit all the callsites to make sure this makes sense at them and figure out what to do for the ones where it doesn't. (For example, should window.alert on the window of an iframe not in the DOM put up a dialog in a tab based on the ownerDocument of the iframe? Or not put one up at all?) There are quite a few APIs that need to be thus audited if this invariant is changed. > I don't really understand the problem. The main problem is having better ways to spend engineering time... ;) > It certainly seems like there are some valid use cases for moving > frames around from document to document. There are, yes. There are also lots of edge cases that are otherwise impossible that are introduced by allowing it; I'm a little curious as to how compatible with each other the IE8 and Chrome implementations are. -Boris
Received on Friday, 4 March 2011 17:49:03 UTC