[webkit-dev] ExecState::thisObject()
Geoffrey Garen
ggaren at apple.com
Tue Jul 14 12:31:10 PDT 2009
>>> That's correct. Other browser's get this case right. Here are a
>>> couple test cases you might find interesting:
>>>
>>> http://webblaze.org/abarth/tests/protoconfused/test1.html
>>> http://webblaze.org/abarth/tests/protoconfused/test2.html
>>
>> I tried these tests, with mixed results:
>>
>> IE8: Exception thrown during load.
>> Firefox 3.0: mixture of passes and fails on test1.html. Exception
>> thrown
>> during load of test2.html.
>> Chrome 2.0: Mixture of passes and fails.
>
> Yes. All the browsers suck on these tests. :)
>
> Would you like me to go look for more exploitable cases? It seems
> like the only reason not to fix this issue is because we're afraid of
> code churn.
I'm just trying to clarify the issue.
Based on your input, I started out thinking that there was a spec
mandating this behavior, that other browsers followed the spec, and
that failure to follow the spec was a security hole.
Now I see that there is no spec, there is no clear shared behavior in
other browsers, and the security holes we know about only pertain to
cross-origin objects, which would specifically be excluded from this
change.
So, the motivation for this change is simply that it would establish a
new, more logical model for cross-frame property access. That's a
laudable goal. I hope we can make it happen.
Since we're inventing the model, we have some freedom to do what we
think is simplest and/or most efficient and/or most secure in certain
edge cases.
Also, once we've established the model, we'll need to propose it to
some standards body -- probably HTML5.
Also, we're free to fix the easy stuff now and the hard stuff later,
since leaving some rough edges unfinished will not be a security
problem.
Geoff
More information about the webkit-dev
mailing list