To avoid privilege escalation bugs by global object leakage, ES5 repaired Ch15 to coerce the this-bindings of its methods by "ToObject". Thus, primitive values wrap but null and undefined throw an exception instead. For example, 126.96.36.199 Array.prototype.slice step 1 says:
1. Let O be the result of calling ToObject passing the this value as the argument.
However, on WebKit nightly (Safari Version 5.0.1 (5533.17.8, r73886))
window = 'a';
window = 'b';
window = 'c';
window.length = 3;
.slice.call(null, 0); // prints a,b,c
showing that slice still leaks access to the global object.
Even though this is a security bug, I have entered this as a WebKit bug, not a security bug, because no released Safari yet implements ES5, so there is time to fix this before it causes harm.
See also https://bugzilla.mozilla.org/show_bug.cgi?id=619283
Created attachment 90865 [details]
'valueOf()' in a script tag still does bad this coercion
The attachment should alert 'ok' and does so correctly on FF4. On Safari Version 5.0.4 (5533.20.27, r84622) it alerts 'bad value: [object DOMWindow]' instead. Should this case be reported as part of this bug 51097, or should I file a distinct bug?
Should this be merged with https://bugs.webkit.org/show_bug.cgi?id=58338 ?
*** This bug has been marked as a duplicate of bug 64250 ***