On Jul 16, 2009, at 5:58 PM, Ian Hickson wrote:
On Thu, 16 Jul 2009, Maciej Stachowiak wrote:
On Jul 16, 2009, at 3:08 PM, Jonas Sicking wrote:
I definitely agree you definitely don't want the inner windows
prototype values if it's a cross-origin window. What you should
get is
less clear to me.
If you should get the outer windows prototype or some sort of blank
prototype. Personally it'd make the most sense to me if you got a
blank prototype since that seems like the most consistent behavior.
Window itself is even more of a special case. What I had in mind is
objects hanging off of Window that are accessible to a limited extent
cross-origin, such as History, or Location, or the postMessage
function.
I don't think it would work to give those a blank prototype. And you
can't just give them the prototype chain from their home window
because
that would be an XSS violation.
HTML5 just says that new History, Location, etc, objects are created
for
each (inner) Window object. Is this not accurate? What do browsers do?
Creating new ones on navigation is indeed correct, but a separate
issue from making sure cross-origin cross-frame access to things like
history.back() is safe for both parties.
Regards,
Maciej
