(apologies for the people on the to: and cc: lines getting dupes, I wanted to resend this to make sure it was in the archives and seen by the others on the list)
On Thu, 1 Aug 2013, Brendan Eich wrote: > > > > That actually gets you closer to what the spec says (closer to the > > legacy model) than the Gecko approach, > > How so? Can you give an example where Gecko doesn't do what the spec > says? The difference between the model I described and the Gecko model is that the isolation is amongst groups of similar-origin browsing contexts, so document.domain doesn't cause a problem. That is, two sibling iframes at http://victim.example.com:80 and http://hostile.example.com:81 would be in the same process, not isolated from each other. It's essentially the model described in the spec, implemented with Gecko-style defense-in-depth. > How about the non-enumerable thing? That doesn't really protect anything > in ES5 era, and as Allen says it doesn't protect against guessed-name > probing. I'm not sure what this refers to. Can you elaborate? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
