- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 9 Nov 2012 12:17:59 -0800
- To: Bobby Holley <bobbyholley@gmail.com>
- Cc: whatwg <whatwg@lists.whatwg.org>, Matt Wobensmith <mwobensmith@mozilla.com>, Boris Zbarsky <bzbarsky@mit.edu>, Johnny Stenback <jst@mozilla.com>
On Fri, Nov 9, 2012 at 12:06 PM, Bobby Holley <bobbyholley@gmail.com> wrote: > On Fri, Nov 9, 2012 at 11:33 AM, Adam Barth <w3c@adambarth.com> wrote: >> > That was my opinion for a while, too, but I eventually decided it was >> > necessary in Gecko. >> >> Can you explain why you think it is necessary? In WebKit, the >> WindowProxy is the only object that has this magic. > > As noted, the Location object is the only object whose security > characteristics don't match its scope. This requires a lot of extra goop in > our compartment-based security model, and the goop is brittle (recently > forcing us to release two out-of-band updates, 16.0.1 and 16.0.2). We've got > enough belt-and-suspenders code now that I'm not particularly worried, but I > still want to make Location just like any other object from a security > perspective. > > If UAs were consistent or the spec matched reality, this would be a > different story. But given that we probably need to change the spec to > either the Trident/Presto model or the Gecko/WebKit model, I support the > former, because we've historically had problems implementing the latter > securely. Do you feel that it would be difficult to implement the former > securely in WebKit? That depends on the questions I asked earlier. > Also, FWIW, from the perspective of an average web-developer, IMO it makes > much more semantic sense to have one Location per WindowProxy if the > Location object describes the WindowProxy. But I doubt many people touch > this stuff in practice. I don't think the average web developer will hit this case because it depends on interacting with the Location object in an inactive document. >> We don't want to move objects between scopes. That causes many >> security complications that we don't want to deal with. > > Are you able to just update references, like you do with WindowProxy? That's the magic I don't want to proliferate. > That's > essentially what we're doing. We actually create a new object in the new > scope and update all the old references to point to it. > >> Can you answer the questions in my previous email? > > Which ones? AFAICT Boris answered all of them except for the testcase thing > (which I answered). Did I miss some? Maybe I didn't receive your email. I gave some example code and asked which values were printed: ---8<--- Consider the following case: == Document A == <script> Object.prototype.foo = "A1"; window.location.bar = "A2"; function f() { var loc = window.location; print(loc.foo); // print is a magic function that lets me see this value print(loc.bar); } </script> == Document B == <script> Object.prototype.foo = "B1"; window.location.bar = "B2"; </script> 1) Document A is displayed in browsing context X. 2) Browsing context X is navigated and now displays document B. 3) Function f is called. What values are printed? --->8--- Adam
Received on Friday, 9 November 2012 20:34:50 UTC