Ian Hickson wrote:
On Thu, 1 Aug 2013, Brendan Eich wrote:
That actually gets you closer to what the spec says (closer to the
legacy model) than the Gecko approach,
How so? Can you give an example where Gecko doesn't do what the spec
says?
The difference between the model I described and the Gecko model is that
the isolation is amongst groups of similar-origin browsing contexts, so
document.domain doesn't cause a problem. That is, two sibling iframes at
http://victim.example.com:80 and http://hostile.example.com:81 would be in
the same process, not isolated from each other. It's essentially the model
described in the spec, implemented with Gecko-style defense-in-depth.
So object refs not linked through window or document do get revoked on
domain change, or do not?
How about the non-enumerable thing? That doesn't really protect anything
in ES5 era, and as Allen says it doesn't protect against guessed-name
probing.
I'm not sure what this refers to. Can you elaborate?
http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-window
"""
When theincumbent script
<http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#incumbent-script>'seffective
script origin
<http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#effective-script-origin>is
different than a|Window|object's|Document|
<http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#concept-document-window>'seffective
script origin
<http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#effective-script-origin>,
the user agent must act as if any changes to that|Window
<http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#window>|object's
properties, getters, setters, etc, were not present, and as if all the
properties of that|Window
<http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#window>|object
had their [[Enumerable]] attribute set to false.
"""
/be
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
