I discussed this a bit with Darin and Geoff, and we came to the
conclusion that the correct fix is to have each JS DOMObject store
a JSGlobalObject pointer and augment the toJS methods to pass a
global object instead of an ExecState (close to you #1).
You probably mean "in addition to" rather than "instead of".
We talked about "instead of".
We think the JSGlobalObject will render the ExecState irrelevant,
since the ExecState was only used to access the heap, which
JSGlobalObject can do, and to select a prototype, which this fix will
do.
(As a side note, I'm not sure this is really a security issue, since
we're primarily talking about same-origin access here. For the few
cases where cross-origin access is allowed, we would *not* want to
expose the home window's prototype chain. So for Window.postMessage
for instance, cross-origin access need to give you a distinct
wrapper.)
Yeah, probably not a security issue.
Geoff
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev