W3C home > Mailing lists > Public > public-script-coord@w3.org > April to June 2012

Re: [XHR] Constructor behavior seems to be underdefined

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 2 Apr 2012 21:54:56 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
cc: Simon Pieters <simonp@opera.com>, Cameron McCormack <cam@mcc.id.au>, public-webapps@w3.org, "public-script-coord@w3.org" <public-script-coord@w3.org>
Message-ID: <Pine.LNX.4.64.1204022153131.17364@ps20323.dreamhostps.com>
On Mon, 2 Apr 2012, Boris Zbarsky wrote:
> On 4/2/12 2:50 AM, Simon Pieters wrote:
> > I can find:
> > 
> > "User agents must throw a SecurityError exception whenever any
> > properties of a Document object are accessed by scripts whose effective
> > script origin is not the same as the Document's effective script origin."
> > http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#documents
> 
> Yeah.  That sort of language is needed somewhere for all objects, not just
> Documents.

Why?

My understanding is that security checks are only done for members of 
Document and Window objects. If you have some other object already, then 
nothing stops you from accessing it if you change your effective origin 
after getting it.


> > I don't know how well this matches reality though.
> 
> Reasonably well, last I checked, for window and document.
> 
> > It seems the spec forbids access to iframe.contentWindow.document but
> > allows iframe.contentDocument.
> 
> Yes.  That's largely what implementations do...

I believe the spec here is actually consistent with reality, indeed.

(In particular, I believe Opera was stricter, and that that caused compat 
issues. I don't see any security issues here.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 2 April 2012 21:55:20 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:06 UTC