That's correct. Other browser's get this case right. Here are a
couple test cases you might find interesting:
http://webblaze.org/abarth/tests/protoconfused/test1.html
http://webblaze.org/abarth/tests/protoconfused/test2.html
I tried these tests, with mixed results:
IE8: Exception thrown during load.
Firefox 3.0: mixture of passes and fails on test1.html. Exception
thrown
during load of test2.html.
Chrome 2.0: Mixture of passes and fails.
Yes. All the browsers suck on these tests. :)
Would you like me to go look for more exploitable cases? It seems
like the only reason not to fix this issue is because we're afraid of
code churn.
I'm just trying to clarify the issue.
Based on your input, I started out thinking that there was a spec
mandating this behavior, that other browsers followed the spec, and
that failure to follow the spec was a security hole.
Now I see that there is no spec, there is no clear shared behavior in
other browsers, and the security holes we know about only pertain to
cross-origin objects, which would specifically be excluded from this
change.
So, the motivation for this change is simply that it would establish a
new, more logical model for cross-frame property access. That's a
laudable goal. I hope we can make it happen.
Since we're inventing the model, we have some freedom to do what we
think is simplest and/or most efficient and/or most secure in certain
edge cases.
Also, once we've established the model, we'll need to propose it to
some standards body -- probably HTML5.
Also, we're free to fix the easy stuff now and the hard stuff later,
since leaving some rough edges unfinished will not be a security
problem.
Geoff
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
