ian at hixie.ch
ian at hixie.ch
Thu Aug 1 13:50:04 PDT 2013
On Thu, 1 Aug 2013, Brendan Eich wrote:
> Ian Hickson wrote:
> > On Thu, 1 Aug 2013, Brendan Eich wrote:
> > > > That actually gets you closer to what the spec says (closer to the
> > > > legacy model) than the Gecko approach,
> > > How so? Can you give an example where Gecko doesn't do what the spec
> > > says?
> > The difference between the model I described and the Gecko model is
> > that the isolation is amongst groups of similar-origin browsing
> > contexts, so document.domain doesn't cause a problem. That is, two
> > sibling iframes at http://victim.example.com:80 and
> > http://hostile.example.com:81 would be in the same process, not
> > isolated from each other. It's essentially the model described in the
> > spec, implemented with Gecko-style defense-in-depth.
> So object refs not linked through window or document do get revoked on
> domain change, or do not?
Nothing ever gets revoked in this model. All that changes is that certain
properties start throwing when accessed (or, for methods, called).
(The precise mechanism by which this happens is the topic of:
> > > How about the non-enumerable thing? That doesn't really protect
> > > anything in ES5 era, and as Allen says it doesn't protect against
> > > guessed-name probing.
> > I'm not sure what this refers to. Can you elaborate?
> When the incumbent script's effective script origin is different than a
> Window object's Document's effective script origin, the user agent must
> act as if any changes to that Window object's properties, getters,
> setters, etc, were not present, and as if all the properties of that
> Window object had their [[Enumerable]] attribute set to false.
That paragraph was added because of:
Happy to change it to say something else instead, if it's wrong for some
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the es-discuss