The robustness of the combined code depends on finding all the right spots in Netscape's code at which to interpose our API calls such that we close all back doors. At the same time, our implementation makes calls to basic functions in the Netscape code and therefore relies on the correct behavior of that code. Much of that code is devoted to identifying the subject and object origin URLs. (The subject origin URL is the place where the executing JavaScript code comes from. The object origin URL is the place where the JavaScript code comes from for the object being acted on.) If our code were to get the wrong information, it could possibly grant access inappropriately, thus opening a security hole. Given the importance of this basic code, we suggest a more methodical approach to realize these two basic functions. (See the subsequent subsections.)
Another area of concern is that object values persist across document
loads in a window. Each document is supposed to form a separate context.
However, in Netscape's current implementation, window.name maintains
its value across document loads. A clever intruder could then access the
information that was supposed to be destroyed with the object. While we
have fixed the case of window.name, we chose not to close this
hole in its generality, because we believe that the new Netscape document
object model (DOM) would do so for us.