Re: [whatwg] Location object identity and navigation behavior from Boris Zbarsky on 2012-11-20 (public-whatwg-archive@w3.org from November 2012)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 20 Nov 2012 13:50:59 -0500
To: Ian Hickson <ian@hixie.ch>
Cc: whatwg <whatwg@lists.whatwg.org>, Matt Wobensmith <mwobensmith@mozilla.com>, Johnny Stenback <jst@mozilla.com>, Bobby Holley <bobbyholley@gmail.com>, Adam Barth <w3c@adambarth.com>
Message-ID: <50ABD113.1010901@mit.edu>

On 11/20/12 12:46 PM, Ian Hickson wrote:
> Given the way JavaScript works, I just don't see a sane way to make a
> non-symmetric model work.

How does "JavaScript work" in your mind?  We have a good amount of 
experience making a non-symmetric model work in Gecko, for what it's worth.

> Any time you pass a string from one to the other, you're also passing a way for the
> callee to call back into the caller, for example (via the string's
> methods).

Spidermonkey effectively copies strings when passing across globals; the 
callee never gets the caller's actual string.  The methods the callee 
sees on strings are its own methods, not the callers.

> Passing any sort of structured objects similarly means passing
> mehods.

In the case of Gecko, what the caller gets in this case is a proxy for 
the actual object which enforces security invariants like "only 
properties on a whitelist are exposed" for cases when the security check 
is asymmetric.  This is handled completely on the underlying JS 
implementation level; individual callers don't have to do anything 
special to be safe this way.

> We have mechanisms for safe passing of data from one context to another,
> such as postMessage(). Doing it by having one-way glass in JS just seems
> like asking for trouble.

postMessage doesn't work unless both sides are cooperating...

> Yeah, like running getters with the ability to abort them if they don't
> return promptly.

Perhaps, yes.  ;)  I agree that debuggers have all sorts of weird going 
on, obviously!

> But your underlying point, that we can't rely on the entry script and the
> real origin, is sound. In particular, anything that's to be affected by
> document.domain has to use the calling script, not the entry script, and
> has to use the effective origin, not the real origin. It would be useful
> if someone (other than me) were to review the spec's uses of the term
> "entry script" and "origin" and verify that the checks all make sense.

I'll see what I can do about finding someone for this.  Might be a few 
weeks given holidays and whatnot, obviously.

I'll let Bobby handle the Location parts of this.  ;)

-Boris

Received on Tuesday, 20 November 2012 21:24:06 UTC