W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2012

[whatwg] Should events be paused on detached iframes?

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 8 Feb 2012 22:38:33 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1202082230150.13116@ps20323.dreamhostps.com>
On Wed, 8 Feb 2012, Boris Zbarsky wrote:
> On 2/8/12 3:50 PM, Ian Hickson wrote:
> > "Should events be paused on detached iframes"? Or another question?
> > (Sorry, I've lost the context here.)
> 
> The thread is discontinuous in the archives (why?)

Mailman archives suck.

I found the thread in a more usable form here:

   http://old.nabble.com/Should-events-be-paused-on-detached-iframes--to29526129.html#a29526129


> but I think the relevant part was:
> 
>   It's possible to switch these relevant checks to walk the
>   ownerDocument chain instead, say.  Then we need to audit all the
>   callsites to make sure this makes sense at them and figure out what
>   to do for the ones where it doesn't.  (For example, should
>   window.alert on the window of an iframe not in the DOM put up a
>   dialog in a tab based on the ownerDocument of the iframe?  Or not put
>   one up at all?)  There are quite a few APIs that need to be thus
>   audited if this invariant is changed.

My overall response is still the same: I'm happy to consider specific 
cases. As far as I'm aware, the spec doesn't have any privilege escalation 
bugs of this nature.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 8 February 2012 14:38:33 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:39 UTC