[whatwg] Should events be paused on detached iframes?

Ian Hickson ian at hixie.ch
Fri Mar 4 16:08:12 PST 2011


On Mon, 6 Dec 2010, Boris Zbarsky wrote:
> On 12/6/10 7:45 PM, Ian Hickson wrote:
> > per spec, currently, if you grab a reference (from another Window) to 
> > a document that you then send into session history (bfcache), you can 
> > still mutate that document, call dispatchEvent() on it, run scripts in 
> > it, etc.
> 
> I don't believe Gecko would be willing to implement that, for security 
> reasons.  As soon as you try to do things of that sort in a bfcached 
> document it _will_ in fact get evicted.  I don't believe we plan to 
> change that.  I'd be interested in what other UAs views are on this.
> 
> This is also why we drop the browsing context when an iframe is removed 
> from the document.  This part we may be able to change without 
> introducing security problems, maybe...  Not clear yet.

Interesting.

So it looks like Chrome and IE8 implement what the spec says here when it 
comes to iframes, but Opera, Firefox, and Safari do not:

   http://www.hixie.ch/tests/adhoc/html/frames/iframes/detaching/001.html?a

Opera turns a Window into an Object with just one property ('close', 
which is undefined as far as I can tell). Firefox and Safari just set all 
the properties to undefined, but otherwise leave it alone.

Could you elaborate on the security reasons? I don't really understand the 
problem. It certainly seems like there are some valid use cases for moving 
frames around from document to document.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list