[webkit-dev] ExecState::thisObject()

Geoffrey Garen ggaren at apple.com
Tue Jul 14 12:31:10 PDT 2009

>>> That's correct.  Other browser's get this case right.  Here are a
>>> couple test cases you might find interesting:
>>> http://webblaze.org/abarth/tests/protoconfused/test1.html
>>> http://webblaze.org/abarth/tests/protoconfused/test2.html
>> I tried these tests, with mixed results:
>> IE8: Exception thrown during load.
>> Firefox 3.0: mixture of passes and fails on test1.html. Exception  
>> thrown
>> during load of test2.html.
>> Chrome 2.0: Mixture of passes and fails.
> Yes.  All the browsers suck on these tests.  :)
> Would you like me to go look for more exploitable cases?  It seems
> like the only reason not to fix this issue is because we're afraid of
> code churn.

I'm just trying to clarify the issue.

Based on your input, I started out thinking that there was a spec  
mandating this behavior, that other browsers followed the spec, and  
that failure to follow the spec was a security hole.

Now I see that there is no spec, there is no clear shared behavior in  
other browsers, and the security holes we know about only pertain to  
cross-origin objects, which would specifically be excluded from this  

So, the motivation for this change is simply that it would establish a  
new, more logical model for cross-frame property access. That's a  
laudable goal. I hope we can make it happen.

Since we're inventing the model, we have some freedom to do what we  
think is simplest and/or most efficient and/or most secure in certain  
edge cases.

Also, once we've established the model, we'll need to propose it to  
some standards body -- probably HTML5.

Also, we're free to fix the easy stuff now and the hard stuff later,  
since leaving some rough edges unfinished will not be a security  


More information about the webkit-dev mailing list