Realm, schmealm!

ian at ian at
Thu Aug 1 14:21:55 PDT 2013

(apologies for the people on the to: and cc: lines getting dupes, I wanted 
to resend this to make sure it was in the archives and seen by the others 
on the list)

On Thu, 1 Aug 2013, Brendan Eich wrote:
> > 
> > That actually gets you closer to what the spec says (closer to the 
> > legacy model) than the Gecko approach,
> How so? Can you give an example where Gecko doesn't do what the spec 
> says?

The difference between the model I described and the Gecko model is that 
the isolation is amongst groups of similar-origin browsing contexts, so 
document.domain doesn't cause a problem. That is, two sibling iframes at and would be in 
the same process, not isolated from each other. It's essentially the model 
described in the spec, implemented with Gecko-style defense-in-depth.

> How about the non-enumerable thing? That doesn't really protect anything 
> in ES5 era, and as Allen says it doesn't protect against guessed-name 
> probing.

I'm not sure what this refers to. Can you elaborate?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the es-discuss mailing list