[webkit-dev] ExecState::thisObject()
Maciej Stachowiak
mjs at apple.com
Mon Jul 13 17:41:32 PDT 2009
On Jul 13, 2009, at 5:34 PM, Adam Barth wrote:
> On Mon, Jul 13, 2009 at 4:59 PM, Maciej Stachowiak<mjs at apple.com>
> wrote:
>> If security is one motivation for this work, then I'd like us to
>> understand
>> the pattern we want to use for cross-origin-accessible objects.
>> Should they
>> use the "home global object" prototype but protect it from mutation
>> or
>> access to extended properties, should they use the prototype of the
>> referencing frame (lexical global object) or something else?
>
> I can study this question, but I believe Firefox solves this problem
> by having cross-origin viewers of these properties see a "fresh" copy
> of the object that isn't === the object as seen by same-origin
> viewers. The fresh copy ignores any changes the page might has made
> to the object and has a prototype chain connects to the viewer's
> prototypes. If two different cross-origin viewers look at the same
> object, they each see fresh copies.
That pattern sounds workable.
Regards,
Maciej
More information about the webkit-dev
mailing list