This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Specification: https://html.spec.whatwg.org/multipage/webappapis.html Multipage: https://html.spec.whatwg.org/multipage/#scripting Complete: https://html.spec.whatwg.org/#scripting Referrer: https://html.spec.whatwg.org/multipage/browsers.html Comment: HTML needs to explain heycam.github.io/webidl/#es-security per bug 27204 comment 7. Posted from: 46.127.136.57 by annevk@annevk.nl User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
How does this differ from bug 20701 ?
I guess it might be a duplicate if Location/Window are the only objects we need http://heycam.github.io/webidl/#es-security for.
Modulo document.domain, they are. When document.domain is involved, browsers disagree in irreconcilable ways on the behavior, unfortunately. HTML specifies a behavior that's not acceptable (considered insecure) to some browsers, etc. So let's not worry about that case. For the Window/Location case, bug 20701 may or may not define the behavior in question here, which is the behavior when you take a function from your own origin and .call it on a cross-origin object this value. The proposed spec at https://etherpad.mozilla.org/html5-cross-origin-objects doesn't define it, afaict.
(In reply to Boris Zbarsky from comment #3) > For the Window/Location case, bug 20701 may or may not define the behavior > in question here, which is the behavior when you take a function from your > own origin and .call it on a cross-origin object this value. The proposed > spec at https://etherpad.mozilla.org/html5-cross-origin-objects doesn't > define it, afaict. Hm, I thought we did that somewhere, but I don't see it. Anyway, we should roll that into bug 20701 - the basic gist being "call/apply of a whitelisted method, getter, or setter should work, regardless of which object it was originally retrieved from".
Sure; the important part is that call/apply of a non-whitelisted method should _not_ work.
*** This bug has been marked as a duplicate of bug 22346 ***