Closed
Bug 925465
Opened 11 years ago
Closed 6 years ago
Drop support for named and indexed access on cross-origin windows referencing via sandboxed iframes windows
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: bruant.d, Unassigned)
References
Details
Rising from the ashes of bug 916939. Maybe sandboxed iframes are recent enough to have a saner relationship to their parent? This would remove a sync communication channel between a parent and an iframe, allowing thread/process/task isolation of iframes.
Comment 1•11 years ago
|
||
Define "acquired"?
Reporter | ||
Comment 2•11 years ago
|
||
(In reply to Boris Zbarsky [:bz] (Vacation Oct 12 - Oct 27) from comment #1) > Define "acquired"? Yeah sorry, something like "got a reference to". In code: parent context: <iframe id="foo" sandbox="allow-script"> <script> var win = document.getElementById('foo').contentWindow; // that's what I call "acquire" // since win references a sandboxed iframe window, named and indexed access could be // decided not to work anymore </script> ... I realize this certainly requires some sort of WindowProxy2. I should probably take this to the WHATWG first, sorry for the noise.
Summary: Drop support for named and indexed access on cross-origin windows acquired from sandboxed iframes → Drop support for named and indexed access on cross-origin windows referencing via sandboxed iframes windows
Comment 3•11 years ago
|
||
> since win references a sandboxed iframe window
Hmm. I guess sandboxing propagates to subframes too... Bobby, thoughts? This might be reasonable.
Flags: needinfo?(bobbyholley+bmo)
Comment 4•11 years ago
|
||
We could easily implement this in our security wrappers if we wanted to. I'm happy to use Gecko as a guinea pig if we need to test the web-compatibility of this change. I suspect it should be ok. (In reply to David Bruant from comment #2) > ... I realize this certainly requires some sort of WindowProxy2. I should Not necessarily. The current spec language for cross-origin object access is inaccurate, and Hixie and I are actively sorting out what this stuff should look like. See [1]. > probably take this to the WHATWG first, sorry for the noise. Given the above, you might have better luck waiting until [1] is sorted out. [1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701
Flags: needinfo?(bobbyholley+bmo)
Comment 5•6 years ago
|
||
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
Comment 6•6 years ago
|
||
I suspect at this point this is just wontfix, given the deployment status of sandboxing. :(
Resolution: INACTIVE → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•