On Fri, Aug 7, 2009 at 5:51 PM, Ian Hickson<i...@hixie.ch> wrote:
> How should I address this for HTML5?

We talked over several option in #whatwg.  Here's something that might
make sense.  The approach below is designed to allow for robust
implementation and to isolated the "magical" properties in the window
object.

Principle: Two distinct origins should have distinct JavaScript object
graphs.  The only point of contact between the JavaScript objects of
different origins should be window objects (or, more precisely,
WindowProxy objects).

Rules:

1) When a script gets a property from a same-origin window object, the
script gets the same object as the page itself gets.

2) When a script gets a property from a cross-origin window object,
the script gets a *new* object with the appropriate interface.
  a) This new object is created in context of the accessing script
(i.e., the current lexical scope).  That means it gets a prototype
chain as appropriate for the accessing script.
  b) If two scripts from the same context access the same property,
they get the same object.  That is, we cache these newly created
objects per accessing window.  (They will likely be garbage collected
with that window as well.)

Corollaries:

1) Suppose property foo is visible across origins and a script changes
it's own window.foo property in some way.  That change is not visible
to cross-origin viewers (because they get a fresh instance of whatever
the foo object originally was.)

Note: This behavior matches Firefox but differs from IE.  In IE,
cross-origin viewers tend to see the value |undefined| when viewing
properties that have been modified by the page.  This causes minor
security issues.

2) If two scripts from two same-origin windows get some property from
the same cross-origin window, the values they obtain will not be ===.
This is to avoid having different behavior based on which script
accesses the property first.

3) If one script grabs some property from a cross-origin window and
then later because same-origin with that window (e.g., via
document.domain tricks), then that script will get a different object
(the "real" one) if it access the property again.

Adam

Reply via email to