From 0c45df84a6dab701e5a8e3eefd3d566ce3591737 Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Tue, 19 Jul 2016 14:00:04 -0400 Subject: [PATCH] Disallow mismatches between custom element local names and brands Without this fix, it is possible to install the brand for one type of element on an element with a different local name, in one of two different ways (both shown here as examples). This fix makes the super() call throw when this is attempted, preserving the invariant that a brand is only installed on an element with the correct local name. Originally discussed at https://bugs.chromium.org/p/chromium/issues/detail?id=619062. --- source | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/source b/source index 466c8590e0a..1ea1d933c75 100644 --- a/source +++ b/source @@ -2999,6 +2999,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
  • JavaScript execution context
  • JavaScript execution context stack
  • running JavaScript execution context
    • +
  • active function object
  • JavaScript realm
  • The current Realm Record
  • Use Strict Directive @@ -9682,6 +9683,61 @@ interface HTMLUnknownElement : HTMLElement { }; NewTarget will be undefined).

    • +
  • +

    If definition's local + name is equal to definition's name (i.e., definition is for + an autonomous custom element), then:

    + +
      +
    1. +

      If the currently-executing constructor is not HTMLElement, then throw a + TypeError and abort these steps.

      + +
      +

      This can occur when a custom element is defined to not extend any local names, but + inherits from a non-HTMLElement class:

      + + 
      customElements.define("bad-1", class Bad1 extends HTMLParagraphElement {});
      + +

      In this case, during the (implicit) super() call that occurs when + constructing an instance of Bad1, the currently-executing constructor + is HTMLParagraphElement, not HTMLElement.

      +
      +
      2. +
    +
    • + +
  • +

    Otherwise (i.e., if definition is for a customized built-in + element):

    + +
      +

    1. Let valid local names be the list of local names for elements defined in this + specification or in other applicable specifications that use the active + function object as their element interface.

      2. + +
    2. +

      If valid local names does not contain definition's local name, then throw a + TypeError and abort these steps.

      + +
      +

      This can occur when a custom element is defined to extend a given local name but inherits + from the wrong class:

      + + 
      customElements.define("bad-2", class Bad2 extends HTMLQuoteElement {}, { extends: "p" });
      + +

      In this case, during the (implicit) super() call that occurs when + constructing an instance of Bad2, valid local names is the + list containing q and blockquote, but definition's local name is p, + which is not in that list.

      +
      +
      3. +
    +
    • +

  • Let prototype be definition's prototype.