Should perform security check for constructors

[zcorpan]

See w3c/payment-request#361 (comment)

It seems to me https://heycam.github.io/webidl/#es-constructible-interfaces should invoke "perform a security check" somewhere before step 6.

Test case for WebSocket: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/4720

cc @bzbarsky @annevk

[tobie]

If we do this, should we invoke the perform a security check algorithm with Window as the platform object on which the operation invocation is done, the name of the constructor as the operation identifier and "method" as the Function object type? Or should we modify the algorithm in HTML to deal specifically with constructors?

[bzbarsky]

@zcorpan Perform a security check on what? Why would we want to do that at all? Note that your testcase never even calls the WebSocket constructor, so I'm not sure why it's relevant to this bug. A testcase that does call it is http://software.hixie.ch/utilities/js/live-dom-viewer/saved/4721 and that one would be problematic even if the navigation were to a same-origin page: either way the websocket would stay alive forever per spec. See whatwg/websockets#22 that I just filed.

@tobie, the check you describe would always pass, no?

[zcorpan]

Oops, thanks for correcting the test case.

Perform a security check on what?

I don't know. I'm still trying to wrap my head around how these things work. Per your comment above and w3c/payment-request#361 (comment) I take it that the security check wouldn't make sense for constructors, but active document check makes sense. But not for all constructors. Date or Image are not problematic for example. OK. Let's close this and discuss PaymentRequest in the other issue.

[tobie]

@bzbarsky after a cursory look at the HTML spec, that was my impression too, but given I'm not sure what this security check is actually supposed to check…