[whatwg] Methods defined for one document called after that document is no longer the one being displayed
Boris Zbarsky
bzbarsky at MIT.EDU
Sat Jan 31 19:09:22 PST 2009
Ian Hickson wrote:
> I haven't mentioned the 'this' behavior, so right now |this !=== window|,
> which breaks the invariant that there is no way to actually get hold of a
> reference to the Window object itself (as opposed to the outer WindowProxy
> object that forwards to the inner Window object). This requirement would
> be a violation of ECMAScript 3.1, so if we could get that changed in
> ES3.1, that would be great. Failing that, it should probably be in the
> WebIDL JavaScript binding section.
As I recall, in Gecko the keyword |this| evaluates to the outer window.
I'm not sure what happens to the implicit |this| that's computed when
defining a global function, say.
The reason for this setup was precisely to prevent script from getting a
handle to the inner Window. Since we do security checks for cross-site
scripting in the outer Window, any ability to pass inner Windows
cross-site would be an automatic security hole.
The setup as it exists right now allows scripts that run within a single
window and never explicitly touch Window objects to not have to perform
security checks on every property access.
You might want to double-check with Blake Kaplan, Brendan Eich, or
Johnny Stenback on the above, as well as on how this fits in with
ECMAScript 3.1. I seem to recall something about that going by in the
bugs when this was being worked on, but Brendan is more likely to recall
the details than I am to be able to find them...
-Boris
More information about the whatwg
mailing list