[whatwg] Should events be paused on detached iframes?

On 3/4/11 7:08 PM, Ian Hickson wrote:
> Could you elaborate on the security reasons?

The primary one is that there there are Gecko-internal security settings 
that are supposed to apply to "this browsing context and all descendant 
browsing contexts".

Right now this is handled by traversing a parent chain that has to be 
broken when the node is removed from the document.  To avoid giving the 
node's contentWindow permissions it shouldn't have, we then make sure 
script can't run in it, by the simple expedient of tearing down the 
browsing context...

It's possible to switch these relevant checks to walk the ownerDocument 
chain instead, say.  Then we need to audit all the callsites to make 
sure this makes sense at them and figure out what to do for the ones 
where it doesn't.  (For example, should window.alert on the window of an 
iframe not in the DOM put up a dialog in a tab based on the 
ownerDocument of the iframe?  Or not put one up at all?)  There are 
quite a few APIs that need to be thus audited if this invariant is changed.

> I don't really understand the problem.

The main problem is having better ways to spend engineering time... ;)

> It certainly seems like there are some valid use cases for moving
> frames around from document to document.

There are, yes.  There are also lots of edge cases that are otherwise 
impossible that are introduced by allowing it; I'm a little curious as 
to how compatible with each other the IE8 and Chrome implementations are.

-Boris

Received on Friday, 4 March 2011 17:49:03 UTC