On 7/15/13 4:32 PM, Robert O'Callahan wrote:
A minor random thought related to that design:
Using integer IDs, as Gecko does, raises the possibility of a bug,
possibly even a security bug, where a rogue IFRAME is able to render
itself at the wrong place in the tree. In Gecko, preventing a
compromised process from doing an attack like that requires explicit
code to track which IDs have been issued to a process and checking to
make sure it doesn't use an ID we didn't give it. Obviously it would be
much better to use an object-capability approach, but of course we can't
do that in Gecko. So it would be nice if Rust+Servo can provide a robust
cross-task object-capability-ID abstraction for use in situations like this.
Right, that's been on our mind as well. We try to use channels and ports
wherever we can. In general channels and ports are better than IDs in
every way: they cannot be forged and have better memory management
properties (as integer IDs can't really be reference counted).
Patrick
_______________________________________________
dev-servo mailing list
dev-servo@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-servo
