1

I was doing some experimenting on an HTML page, and say if I do

name = "hmm";
console.log(name);

and I load it inside of Google Chrome, and displayed "hmm" naturally.

The thing is, if I remove the first line or comment it out, and reload the page, it will show "hmm" again. If I create another webpage index2.html and also ONLY do the 

console.log(name);

and change the URL in my browser from index.html to index2.html, it will show "hmm" again.

So I think it is due to window.name having this value. But, I never knew two pages can share values like that. I thought the window object should start fresh and should not carry any value over...

It only happens with name. It doesn't happen with foo, but still, I think even name should not carry over.

What is happening? And what about cross website (cross domain?) That really shouldn't happen, even if it is same website, should it?

nonopolarity
  • 146,324
  • 131
  • 460
  • 740
  • 2
    You're setting an existing special property. https://developer.mozilla.org/en-US/docs/Web/API/Window/name – SLaks Jan 18 '16 at 23:41
  • Use `var` to not use global scope – m.antkowicz Jan 18 '16 at 23:43
  • @m.antkowicz using `var` will have the same result... when you use `var` in the global scope, isn't it almost the same, if not exactly the same as not using it, or the same as using `window.name`? – nonopolarity Jan 18 '16 at 23:44
  • Use `var` in a closure to avoid these problems. – Oriol Jan 18 '16 at 23:48
  • @Oriol you mean using an IIFE with local scope. I don't think the concept of closure is really the relevant thing here. It is more related to a local scope – nonopolarity Jan 18 '16 at 23:54
  • Yes, an IIFE, it encloses variables in a local scope. I don't fully understand what exactly you are asking. Do you want to know the historical reasons of `window.name`? Its specific behavior? – Oriol Jan 19 '16 at 00:21

1 Answers1

1

I never knew two pages can share values like that.

Yeah. Normally, they don't. This is only happening because you used the specific variable name name, and used it in the global scope where it means the same thing as the window property of the same name.

window.name is an oddity dating from the early days of cross-document scripting. As a design it doesn't make any sense today but it's very difficult to get rid of old web behaviours.

When Netscape introduced JavaScript and frames in Navigator 2.0, security wasn't the first priority. The web was a different, less-threatening place, and for business reasons they were more concerned with adding any and all possible features into the browser than designing a coherent and secure platform.

The Same Origin Policy was in its infancy and wasn't regarded as an essential fundamental safeguard, more an undesirable encumberance pending the design something better and more permissive. They had a blacklisting instinct: add features and allow access by default, unless it's proven to be a security problem.

The window.name property on pop-up windows reflects the name argument of the window.open method that was called to open it; on frames, it reflects the name attribute of the <frame> (or <iframe>) element that included it. It was expected that scripts would want to access and navigate related windows (and even sub-windows, eg a frame inside a frame) by name even across different domains and even when the original document had been navigated.(*)

Consequently a number of properties of window, including name, were made accessible from outside the origin, and for compatibility remain there today, with a whole load of complex caveats and limitations that have arisen from the endless stream of browser security holes that resulted.

(* It turns out not many people wanted to do that, but they did want to be able to pass string data between two windows on different domains. These days we would just use window.postMessage which is designed for this explicit purpose, but back then the only way to do it was to use the only property that was read-write to both parties, name. This was clumsy and limited but a number of existing web sites did it, making it very difficult to remove from the web platform.)

Upshot: putting stuff in window can have unforeseen consequences, so try to keep global variables to an absolute minimum, and avoid existing properties like name.

bobince
  • 528,062
  • 107
  • 651
  • 834