- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sun, 23 Dec 2012 10:09:29 +0100
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: www-dom@w3.org
On Sat, Dec 22, 2012 at 8:12 PM, Boris Zbarsky <bzbarsky@mit.edu> > 2) If a script adopts a node from a subframe and then unloads the subframe > or removes it from the DOM, remembering the proto means you leak the entire > global object _and_ the entire DOM of the subframe, because HTMLElement is > reachable from the adopted node (via .__proto__ and .constructor) and then > you can call "new HTMLElement" from the now-unloaded subframe Window and now > you have a node whose ownerDocument is the document that was in the subframe > and you can reach its DOM, so the the UA has to keep all that stuff alive or > has to make some of this stuff not work or something. That seems like a > pretty serious footgun to me. What happens with document.open()? Does that replace the proto as well? How do I go about defining replacing the proto of an element? Are there any other places where this happens in the platform? Is the right place in DOM or should IDL provide a hook for it? (Given your point I think Gecko's design is the way to go.) -- http://annevankesteren.nl/
Received on Sunday, 23 December 2012 09:09:58 UTC