[webkit-dev] ExecState::thisObject()

Maciej Stachowiak mjs at apple.com
Mon Jul 13 17:41:32 PDT 2009

On Jul 13, 2009, at 5:34 PM, Adam Barth wrote:

> On Mon, Jul 13, 2009 at 4:59 PM, Maciej Stachowiak<mjs at apple.com>  
> wrote:
>> If security is one motivation for this work, then I'd like us to  
>> understand
>> the pattern we want to use for cross-origin-accessible objects.  
>> Should they
>> use the "home global object" prototype but protect it from mutation  
>> or
>> access to extended properties, should they use the prototype of the
>> referencing frame (lexical global object) or something else?
> I can study this question, but I believe Firefox solves this problem
> by having cross-origin viewers of these properties see a "fresh" copy
> of the object that isn't === the object as seen by same-origin
> viewers.  The fresh copy ignores any changes the page might has made
> to the object and has a prototype chain connects to the viewer's
> prototypes.  If two different cross-origin viewers look at the same
> object, they each see fresh copies.

That pattern sounds workable.


More information about the webkit-dev mailing list