NEW 160952
Wrapper for an adopted node can be created in inconsistent global objects 
https://bugs.webkit.org/show_bug.cgi?id=160952
Summary Wrapper for an adopted node can be created in inconsistent global objects
Ryosuke Niwa
Reported 2016-08-17 18:30:29 PDT
When a node is adopted into another document without first having a JS wrapper, its wrapper could be created in either the original document's or new document's global object depending on how those nodes are accessed.
Attachments
Demo (1.24 KB, text/html)
2016-08-17 18:30 PDT, Ryosuke Niwa 		no flags
Details
Patch (46.86 KB, patch)
2016-08-22 14:56 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2016-08-17 18:30:52 PDT
Created attachment 286353 [details] Demo
Ryosuke Niwa
Comment 2 2016-08-17 18:36:05 PDT
In this demo, a div element is created in document A, and span and b elements are created as descendants of the div via div.innerHTML. The div is then adopted into another document B. When accessing the span and the b elements in document B, the manner of accessing those nodes determine the global object in which the wrappers are created. If we're creating via .firstChild or any other property or any method of the div, then we'd create a wrapper using document A's global object. If it's done via properties or methods on any other object whose global object is that of document B, then we'd create a wrapper using the global object of document B.
Geoffrey Garen
Comment 3 2016-08-18 16:18:31 PDT
I think the best way to fix this is probably to eagerly reify all wrappers when adopting a node between documents.
Ryosuke Niwa
Comment 4 2016-08-22 14:56:03 PDT
Created attachment 286622 [details] Patch
Ryosuke Niwa
Comment 5 2016-08-22 14:56:28 PDT
Comment on attachment 286622 [details] Patch Oops, wrong bug.
Note You need to log in before you can comment on or make changes to this bug.