WebKit currently allows for enumeration of all the property names in window object via a JavaScript "for .. in " loop, even when the window object is from a foreign domain. This could cause a security problem if a JavaScript author made the mistake of storing a password in a variable name or something. I've posted a demonstration of this problem to this bug's URL. Document B sets a global variable named "superSecretThing", document A embeds document B in an iframe, and is able to see the secret variable name from a foreign domain.
<rdar://problem/5640454>
This can, e.g., leak whether a user is logged in on another domain, if that domain initialises variables after the user logs in.
Created attachment 18204 [details] patch
Landed in r29044.