On 4/2/12 6:15 PM, Ian Hickson wrote:
Interesting. When speccing this stuff years ago, I do not recall coming across any browser other than Opera that had any security checks on objects other than the few that the spec talks about.
For what it's worth, I believe Gecko does the checks today too, on some properties. Just not all of them. It's a bit ad-hoc, because there are multiple sets of DOM bindings involved, unfortunately.
In general, unless there's a good security reason to do the checks, I think we'd be better off not doing them here. Having the checks can be expensive; it means at a minimum an extra pointer comparison and branch before each member access, which seems like a lot of expensive checking for something that really doesn't matter that much.
I agree; I'm going to run this by the security folks to see what they think. -Boris
