8125 – Can it be specified somewhere that script can define a variable named "top" with 'var top' in a global context? This is currently inconsistent across browsers.

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 8125 - Can it be specified somewhere that script can define a variable named "top" with 'var top' in a global context? This is currently inconsistent across browsers.

Summary: Can it be specified somewhere that script can define a variable named "top" w...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	pre-LC1 HTML5 spec (editor: Ian Hickson) (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	LC
Assignee:	Ian 'Hixie' Hickson
QA Contact:	HTML WG Bugzilla archive list

URL:	http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:	NE

Depends on:
Blocks:

Reported:	2009-10-29 17:16 UTC by contributor
Modified:	2010-10-04 14:30 UTC (History)
CC List:	5 users (show)

See Also:

Attachments

Description contributor 2009-10-29 17:16:13 UTC

Section: http://www.whatwg.org/specs/web-apps/current-work/#the-window-object

Comment:
Can it be specified somewhere that script can define a variable named "top" with 'var top' in a global context? This is currently inconsistent across browsers.

Posted from: 68.146.86.203

Comment 1 Adam Barth 2009-10-29 23:46:13 UTC

Letting script define a global variable named top is a security vulnerability.  It's only inconsistent because I haven't gotten around to convincing everyone of that fact yet.

Comment 2 Ian 'Hixie' Hickson 2009-12-13 15:54:50 UTC

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Rejected
Change Description: no spec change
Rationale: As far as I can tell, this is already well-defined (through WebIDL). Off-hand, though, I don't know if it's well-defined to allow or disallow it; you'd have to check WebIDL carefully to determine that.

Adam: If WebIDL or HTML5 need to change to handle this security issue, please file a new bug stating exactly what should change.