darin at apple.com
Tue Dec 7 11:25:22 PST 2010
I think we’re going about this the wrong way. The general rule for the DOM is to do the work in the DOM classes rather than in the binding. The job of the binding is to extract the arguments and call through to the DOM. This is how we should be doing it.
Let me give an example. When setting the location attribute of the DOM window, the binding should extract the active frame and first frame, convert the value of the attribute to a string, and then call through to the DOMWindow object. The security logic should be in the DOMWindow.h/cpp file, not in the binding.
I’m working on a patch for setLocation and then I’ll move on to open and showModalDialog.
Once we have done enough of this work, we should be able to remove a lot of unneeded code from files like BindingSecurity.h, BindingSecurityBase.h, BindingSecurityBase.cpp, BindingLocation.h, BindingFrame.h, BindingDOMWindow.h, GenericBinding.h, JSDOMWindowBase.h, and JSDOMWindowBase.cpp.
We really don’t want to spread security responsibilities into the bindings. What the bindings need to do is communicate the scripting context when calling in the DOM. The DOM can implement security rules and such in a way that’s independent of the bindings.
Let me know what you think.
More information about the webkit-dev