[Webkit-unassigned] [Bug 16824] New: Script authorization should follow lexical (not dynamic) scope
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 10 13:44:01 PST 2008
http://bugs.webkit.org/show_bug.cgi?id=16824
Summary: Script authorization should follow lexical (not dynamic)
scope
Product: WebKit
Version: 525+ (Nightly build)
Platform: All
URL: http://crypto.stanford.edu/~abarth/research/webkit/stati
c/
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore JavaScript
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: hk9565 at gmail.com
CC: sam at webkit.org, webkit at collinjackson.com
There are two methods for determining the security context associated with a
given script:
1) Lexical scope: Pick the principal associated with the document that contains
the script.
2) Dynamic scope: Walk up the run-time stack and pick the principal associated
with the top-most stack frame.
Firefox and Internet Explorer use the lexical scope for authorization. Safari
and Opera use the dynamic scope for authorization. HTML 5 specifies that user
agents use the lexical scope: "The origin of the script is the origin of the
Document to which the script element belongs."
<http://www.whatwg.org/specs/web-apps/current-work/#origin>
WebKit should match Firefox, Internet Explorer, and the HTML 5 spec by using
the lexical scope for authorization.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list