On 11/20/12 12:46 PM, Ian Hickson wrote:
Given the way JavaScript works, I just don't see a sane way to make a non-symmetric model work.
How does "JavaScript work" in your mind? We have a good amount of experience making a non-symmetric model work in Gecko, for what it's worth.
Any time you pass a string from one to the other, you're also passing a way for the callee to call back into the caller, for example (via the string's methods).
Spidermonkey effectively copies strings when passing across globals; the callee never gets the caller's actual string. The methods the callee sees on strings are its own methods, not the callers.
Passing any sort of structured objects similarly means passing mehods.
In the case of Gecko, what the caller gets in this case is a proxy for the actual object which enforces security invariants like "only properties on a whitelist are exposed" for cases when the security check is asymmetric. This is handled completely on the underlying JS implementation level; individual callers don't have to do anything special to be safe this way.
We have mechanisms for safe passing of data from one context to another, such as postMessage(). Doing it by having one-way glass in JS just seems like asking for trouble.
postMessage doesn't work unless both sides are cooperating...
Yeah, like running getters with the ability to abort them if they don't return promptly.
Perhaps, yes. ;) I agree that debuggers have all sorts of weird going on, obviously!
But your underlying point, that we can't rely on the entry script and the real origin, is sound. In particular, anything that's to be affected by document.domain has to use the calling script, not the entry script, and has to use the effective origin, not the real origin. It would be useful if someone (other than me) were to review the spec's uses of the term "entry script" and "origin" and verify that the checks all make sense.
I'll see what I can do about finding someone for this. Might be a few weeks given holidays and whatnot, obviously.
I'll let Bobby handle the Location parts of this. ;) -Boris
