On 11/19/12 8:38 PM, Ian Hickson wrote:
For now I've tightened up the spec so it should be implementable, secure, and Web-compatible
I don't believe it's secure as currently written, actually. Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=20012
I'm also curious as to why figuring out the "entry script"'s characteristics needs to use the stack introspection rather than just having an event-loop global "first script" variable
You can maintain a stack of entry scripts. You can't use a global, because you need to push and pop entry scripts as various things happen (e.g. invoking event listeners sets the entry script to the event listener function's script for the duration of the event listener invocation).
There is no such stack of entry scripts in Gecko yet, but we're working on changing that.
The thing that _really_ requires stack introspection is when you need to look at the caller script instead of the entry script. Which is what you need to do when performing Location security checks (or indeed, any security checks).
-Boris
