[whatwg] Methods defined for one document called after that document is no longer the one being displayed
Ian Hickson
ian at hixie.ch
Thu Feb 12 19:15:42 PST 2009
On Sat, 31 Jan 2009, Boris Zbarsky wrote:
>
> Ian Hickson wrote:
> > I haven't mentioned the 'this' behavior, so right now |this !===
> > window|, which breaks the invariant that there is no way to actually
> > get hold of a reference to the Window object itself (as opposed to the
> > outer WindowProxy object that forwards to the inner Window object).
> > This requirement would be a violation of ECMAScript 3.1, so if we
> > could get that changed in ES3.1, that would be great. Failing that, it
> > should probably be in the WebIDL JavaScript binding section.
>
> As I recall, in Gecko the keyword |this| evaluates to the outer window.
> I'm not sure what happens to the implicit |this| that's computed when
> defining a global function, say.
>
> The reason for this setup was precisely to prevent script from getting a
> handle to the inner Window. Since we do security checks for cross-site
> scripting in the outer Window, any ability to pass inner Windows
> cross-site would be an automatic security hole.
>
> The setup as it exists right now allows scripts that run within a single
> window and never explicitly touch Window objects to not have to perform
> security checks on every property access.
>
> You might want to double-check with Blake Kaplan, Brendan Eich, or
> Johnny Stenback on the above, as well as on how this fits in with
> ECMAScript 3.1. I seem to recall something about that going by in the
> bugs when this was being worked on, but Brendan is more likely to recall
> the details than I am to be able to find them...
I've pinged Brendan about this, but on the short term, I've put the
requirement in HTML5, so that we don't lose it.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list