[Webkit-unassigned] [Bug 16824] New: Script authorization should follow lexical (not dynamic) scope

Thu Jan 10 13:44:01 PST 2008

http://bugs.webkit.org/show_bug.cgi?id=16824

           Summary: Script authorization should follow lexical (not dynamic)
                    scope
           Product: WebKit
           Version: 525+ (Nightly build)
          Platform: All
               URL: http://crypto.stanford.edu/~abarth/research/webkit/stati
                    c/
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: hk9565 at gmail.com
                CC: sam at webkit.org, webkit at collinjackson.com

There are two methods for determining the security context associated with a
given script:

1) Lexical scope: Pick the principal associated with the document that contains
the script.

2) Dynamic scope: Walk up the run-time stack and pick the principal associated
with the top-most stack frame.

Firefox and Internet Explorer use the lexical scope for authorization.  Safari
and Opera use the dynamic scope for authorization.  HTML 5 specifies that user
agents use the lexical scope: "The origin of the script is the origin of the
Document to which the script element belongs."

<http://www.whatwg.org/specs/web-apps/current-work/#origin>

WebKit should match Firefox, Internet Explorer, and the HTML 5 spec by using
the lexical scope for authorization.

-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.