New full Unicode for ES6 idea
brendan at mozilla.com
Sun Feb 19 13:52:07 PST 2012
Mark S. Miller wrote:
> On Sun, Feb 19, 2012 at 11:49 AM, Brendan Eich <brendan at mozilla.com
> <mailto:brendan at mozilla.com>> wrote:
> Not all engines mediate cross-same-origin-window accesses. I hear
> IE9+ may, indeed rumor is it remotes to another process sometimes
> (breaking run-to-completion a bit; something we should explore
> breaking in the future for window=vat). SpiderMonkey just recently
> (not sure if this is in a Firefox channel yet) went to compartment
> per global, for good savings once things were refactored to
> maximize sharing of internal immutables.
> Other than the origin truncation issue that I am still confused about,
Do you mean document.domain setting? That allows code in an origin to
join its origin's super-domain (but not a dotless top level). See
> what other benefits are there to mediating interframe access within
> the same origin?
The WindowProxy in HTML5 reflects a de-facto standard developed by
browser implementors to avoid
closure-survives-navigation-to-other-origin attacks. See
Demons from the First Age included attacks that loaded a document
containing a script defining a closure from evil.org into a subframe,
then stuck a ref to the closure in the super-frame, then navigated the
sub-frame to victim.com. Guess whose scope the closure saw, with only
Window objects and no WindowProxy wrappers for the named (not implicit
in identifier resolution) window/frame objects?
> My R2 resolution is not specific to any engine, but I have hopes
> it can be accepted. It is concrete enough to help overcome
> large-yet-vague doubts about implementation impact (at least
> IMHO). Recall that document.domain setting may have to split a
> merged same-origin window/frame graph, at any time. Again
> implementation solutions vary, but this suggests cross-window
> mediation can be interposed lazily.
> How? By doing a full walk of the object graph and doing surgery on it?
> This sounds more painful than imposing mediation up front.
No, by indirection, of course ;-). The details vary among browsers.
> But I'm still hoping that objects same origin iframes can communicate
> directly, without mediation.
Why? Anyway, it's unsafe, wherefore WindowProxy. No big deal. There's no
mediation for identifier resolution (i.e., scope chain lookup) and
indeed JITting VMs optimize the heck out of local global accesses already.
More information about the es-discuss