[webkit-dev] ExecState::thisObject()

[Maciej Stachowiak]

On Jul 13, 2009, at 4:34 PM, Adam Barth wrote:

> CVE-2009-1702 is an example of such as security hole.  I'm sure that I
> can find more if I look for them.

I think objects attached to the global object and accessible cross- 
origin are a special case here. (The advisory cited is about Location  
and History.) Values that can be accessed cross-origin are the most  
likely locus for security issues in this area. And they also likely  
need behavior that's different from the generally proposed pattern,  
since revealing or allowing the mutation of home origin prototypes is  
a security risk.

If security is one motivation for this work, then I'd like us to  
understand the pattern we want to use for cross-origin-accessible  
objects. Should they use the "home global object" prototype but  
protect it from mutation or access to extended properties, should they  
use the prototype of the referencing frame (lexical global object) or  
something else?


>
>> Personally I am convinced that the answers to (3) and (C) are both  
>> "yes",
>> and I don't know about any of the other points.
>
> I can try to provide more information as best I can.  Another option
> is to make this change incrementally and assess the costs as we go.
> For example, we could fix the SVG prototypes first.

Doing the change incrementally seems wise, if it is feasible to do so.  
Maybe even a patch demonstrating how it would work for a single class  
could be a good way to evaluate the change. Perhaps separate  
trailblazing examples could be given for both an ordinary class and  
one that is cross-origin accessible.

Regards,
Maciej