bholley
commented
8 years ago I think it should use the "current global", which is observably equivalent in this case (possibly modulo document.domain), but much simpler to implement and What We Mean.
Closed jyasskin closed 8 years ago
bholley
commented
8 years ago I think it should use the "current global", which is observably equivalent in this case (possibly modulo document.domain), but much simpler to implement and What We Mean.
bholley
commented
8 years ago CC @annevk and @domenic to make sure they agree here.
mikewest
commented
8 years ago Ah. "current global" is new to me (and I don't actually see it in the spec :) ). I'm totally happy to change to the new terminology if/when it's defined.
annevk
commented
8 years ago FWIW, https://www.w3.org/Bugs/Public/show_bug.cgi?id=26603 is where we are tracking the new terminology. Agreed that we should move to current x (x TBD) where we can.
domenic
commented
8 years ago I am not sure it is equivalent... "current" while inside a UA-defined function generally means the realm/global/whatever of the UA-defined function. It doesn't walk back to the nearest script like incumbent does.
What is the intention here, in all those script-from-one-frame-calling-scripts-from-another cases? Consult the example for incumbent settings object if you are unsure.
mikewest
commented
8 years ago When I wrote the text in question, I meant the incumbent settings object. Since then, we've changed a few things that makes the decision fairly irrelevant, as it's no longer possible for an insecure context to grab a reference to a method from a secure context. So, for this particular case, I'm happy with either, as they end up being equivalent.
It would be helpful, though, if y'all would consider aligning with WebIDL's similar-but-different language around "ECMAScript global environment associated with the Function that implements the whatever", that would be helpful. I don't care what that thing is called, but it would be nice for it to have a name and to be used consistently (or, alternatively, to be spelled out everywhere so we don't have to parse spec text to understand what the name we choose means. :) )
domenic
commented
8 years ago Now that I have dove into this area more, I can say that this should definitely be updated to use "current settings object". See my recent public-script-coord post for more.
mikewest
commented
8 years ago Done, thanks!
https://w3c.github.io/webappsec-secure-contexts/#new suggests specifications should write "If the incumbent settings object is not a secure context …". However, HTML and https://www.w3.org/Bugs/Public/show_bug.cgi?id=26603 suggest that the incumbent settings object is rarely the right one to use, and that we should use the "current" one instead.
@bholley, does Secure Contexts likely need to use incumbent like it does now?