[Webkit-unassigned] [Bug 146785] toJSDOMWindow() does not handle objects that descend from the JS DOM Window (crashes on use)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 23 15:58:38 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=146785
--- Comment #16 from Darin Adler <darin at apple.com> ---
I’m not entirely sure.
I suppose that given how JavaScript works, the concept that an object that eventually in a prototype chain points to a DOM window *is* a DOM window, and a search of the prototype chain can be treated as a cast, is an OK concept.
This makes me worry that there are other cases like this, where we are checking the internal C++ class of what backs "this" objects in various DOM functions but we should really be searching the prototype chains of those objects instead. These are probably in other functions named toXXX, where XXX is something other than DOM window.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150723/8b999eae/attachment.html>
More information about the webkit-unassigned
mailing list