This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
According to bz IDL needs to account for WindowProxy. When operations are passed a WindowProxy, the security check needs to be performed on the underlying Window. Bug 27128 has some ideas and ramblings, though mostly I think we want to pass the actual Window object to the "perform a security check" operation when given a WindowProxy. Per https://github.com/annevk/html-cross-origin-objects the tentative plan is that the Window can be found on the WindowProxy's [[Window]] internal slot.
The conclusion from that bug seems to be that we don't pass around Window, only WindowProxy. Places that accept a WindowProxy as input would be UIEvent and MessageEvent. As far as I can tell no security check is needed for that. We might also to prevent Window from being accepted or returned anywhere syntax-wise, so folks always end up with WindowProxy if they were not paying attention. Web IDL does need to make sure that "perform a security check" happens on the Window object, not the WindowProxy, as I mentioned. Together with https://github.com/whatwg/html/pull/638 I'm hopeful we'll finally have a solid baseline in standards for these objects. Some iteration is likely still required, but it should be much better than before.
I don't plan on contributing text to IDL for now. Resetting assignee to default.
https://github.com/heycam/webidl/issues/656