[whatwg] "first script" and impersonating other pages - pushState(url)
Ian Hickson
ian at hixie.ch
Thu Sep 3 05:27:29 PDT 2009
On Mon, 31 Aug 2009, Mike Wilson wrote:
> Ian Hickson wrote:
> > On Fri, 21 Aug 2009, Mike Wilson wrote:
> > >
> > > I'm currently wrapping my head around the notion of
> > > "first script" in the spec [1]. It's description is
> > > a bit terse and the subject seems non-trivial, so
> > > maybe the text could be fleshed out some?
> > >
> > > Section 6.1.5 "Groupings of browsing contexts"
> > > says:
> > > | Each unit of related similar-origin browsing
> > > | contexts can have a first script which is used to
> > > | obtain, amongst other things, the script's base
> > > | URL to resolve relative URLs used in scripts
> > > | running in that unit of related similar-origin
> > > | browsing contexts. Initially, there is no first
> > > | script.
> > >
> > > Does this implicitly say that this set of browsing
> > > contexts should never execute script in parallel?
> >
> > No, that is implied by the event loop mechanism.
> >
> > http://www.whatwg.org/specs/web-apps/current-work/#event-loops
>
> Ah thanks, that made it clear. 6.1.5 might get a little easier to
> understand if some text mentioned the shared event loop for this set of
> browsing contexts, or linked to 6.5.4.
Done.
> > > /pages/page1.html:
> > > <script src="/scripts/script1.js">
> > > *1 <button onclick="func1();">
> > >
> > > /scripts/script1.js:
> > > function func1() { ... }
> > > *2 func1();
> > >
> > > What is regarded as *first script* in these two
> > > calls to func1() ?
> > > *1: the implicitly generated event handler wrapper
> > > in /pages/page1.html ?
> > > *2: /scripts/script1.js
> >
> > Yes.
> >
> > > [...]
> > > Imagine that I want my loaded page:
> > > /pages/section1/thing1
> > > be able to impersonate:
> > > /pages/section2/thing2
> > > how do you envision this to be structured?
> > >
> > > Something like this? :
> > >
> > > /pages/section1/thing1:
> > > <script src="/pages/script.js">
> > > <button onclick="impersonate();">
> > >
> > > /pages/script.js:
> > > function impersonate() {
> > > ...pushState(..., "/pages/section2/thing2");
> > > }
> >
> > That would do it, yes.
>
> Per *1 in the first example, wouldn't the first script
> (corresponding to the button click) be the implicitly
> generated event handler in:
> /pages/section1/thing1
> with a basedir of
> /pages/section1
> thereby making the call to:
> ...pushState(..., "/pages/section2/thing2");
> throw SECURITY_ERR in step 2.2 of the pushState
> algorithm?
No, why?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list