To avoid privilege escalation bugs by global object leakage, ES5 repaired Ch15 to coerce the this-bindings of its methods by "ToObject". Thus, primitive values wrap but null and undefined throw an exception instead. For example, 15.4.4.10 Array.prototype.slice step 1 says: 1. Let O be the result of calling ToObject passing the this value as the argument. However, on WebKit nightly (Safari Version 5.0.1 (5533.17.8, r73886)) window[0] = 'a'; window[1] = 'b'; window[2] = 'c'; window.length = 3; [].slice.call(null, 0); // prints a,b,c showing that slice still leaks access to the global object. Even though this is a security bug, I have entered this as a WebKit bug, not a security bug, because no released Safari yet implements ES5, so there is time to fix this before it causes harm. See also https://bugzilla.mozilla.org/show_bug.cgi?id=619283
<rdar://problem/8895966>
Created attachment 90865 [details] 'valueOf()' in a script tag still does bad this coercion The attachment should alert 'ok' and does so correctly on FF4. On Safari Version 5.0.4 (5533.20.27, r84622) it alerts 'bad value: [object DOMWindow]' instead. Should this case be reported as part of this bug 51097, or should I file a distinct bug? See https://bugzilla.mozilla.org/show_bug.cgi?id=652375
Should this be merged with https://bugs.webkit.org/show_bug.cgi?id=58338 ?
*** This bug has been marked as a duplicate of bug 64250 ***