27212 2014-10-31 17:46:42 +0000 HTML needs to explain heycam.github.io/webidl/#es-security per bug 27204 comment 7. 2016-01-18 12:29:52 +0000 1 1 1 Unclassified WHATWG HTML unspecified Other other RESOLVED DUPLICATE 22346 https://html.spec.whatwg.org/#scripting P3 normal Unsorted 1 contributor ian annevk bobbyholley bzbarsky ian mike contributor oldest_to_newest 114372 0 contributor 2014-10-31 17:46:42 +0000 Specification: https://html.spec.whatwg.org/multipage/webappapis.html Multipage: https://html.spec.whatwg.org/multipage/#scripting Complete: https://html.spec.whatwg.org/#scripting Referrer: https://html.spec.whatwg.org/multipage/browsers.html Comment: HTML needs to explain heycam.github.io/webidl/#es-security per bug 27204 comment 7. Posted from: 46.127.136.57 by annevk@annevk.nl User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 114411 1 ian 2014-11-01 06:20:20 +0000 How does this differ from bug 20701 ? 114412 2 annevk 2014-11-01 08:56:22 +0000 I guess it might be a duplicate if Location/Window are the only objects we need http://heycam.github.io/webidl/#es-security for. 114422 3 bzbarsky 2014-11-03 05:30:03 +0000 Modulo document.domain, they are. When document.domain is involved, browsers disagree in irreconcilable ways on the behavior, unfortunately. HTML specifies a behavior that's not acceptable (considered insecure) to some browsers, etc. So let's not worry about that case. For the Window/Location case, bug 20701 may or may not define the behavior in question here, which is the behavior when you take a function from your own origin and .call it on a cross-origin object this value. The proposed spec at https://etherpad.mozilla.org/html5-cross-origin-objects doesn't define it, afaict. 114423 4 bobbyholley 2014-11-03 07:48:07 +0000 (In reply to Boris Zbarsky from comment #3) > For the Window/Location case, bug 20701 may or may not define the behavior > in question here, which is the behavior when you take a function from your > own origin and .call it on a cross-origin object this value. The proposed > spec at https://etherpad.mozilla.org/html5-cross-origin-objects doesn't > define it, afaict. Hm, I thought we did that somewhere, but I don't see it. Anyway, we should roll that into bug 20701 - the basic gist being "call/apply of a whitelisted method, getter, or setter should work, regardless of which object it was originally retrieved from". 114424 5 bzbarsky 2014-11-03 08:07:19 +0000 Sure; the important part is that call/apply of a non-whitelisted method should _not_ work. 124619 6 annevk 2016-01-18 12:29:52 +0000 *** This bug has been marked as a duplicate of bug 22346 ***