The global object in browsers
ian at hixie.ch
Thu Feb 19 02:08:46 PST 2009
On Thu, 19 Feb 2009, David-Sarah Hopwood wrote:
> MarkM's point is that *given that the object called Window is
> inaccessible*, there's no way to observe that the object called Window
> is at the top of the scope chain.
Granted, but there _is_ a way to observe that the object at the top of the
scope chain isn't the same as the object returned by |this|, which is what
I am concerned about.
> > When a browsing context navigates from page A to page B, the object at
> > the top of the scope chain in code from page A and the oject at the
> > top of the scope chain in code from page B are not the same object,
> It's not possible to observe that, since by hypothesis neither object is
> accessible to ECMAScript code.
The object itself isn't, but properties on the object are. If two scripts
check to see what value a variable "x" on their global object is, and they
get different results, in the absence of any code changing anything, one
can tell that they are different global objects.
> I'm confused by the motivation of the change in HTML5. It seems like it
> is imposing most of the complexity that would be needed to fix some of
> the security problems associated with the global object, *without*
> actually fixing those problems.
What security problems does in not fix?
The motivation is to make HTML5 describe what browsers do.
> Also, it is a breach of standards development etiquette for the HTML WG
> to make a a change (even in a draft) that it believes to be incompatible
> with the ECMAScript spec, without consulting TC39. It should not have
> been left to you in the role of an implementor to point out the
I am the editor of the HTML5 spec. My e-mail was an attempt at the
consultation to which you refer.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the Es-discuss