W3C home > Mailing lists > Public > public-script-coord@w3.org > April to June 2012

Re: [XHR] Constructor behavior seems to be underdefined

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 02 Apr 2012 18:09:15 -0400
Message-ID: <4F7A238B.3070103@mit.edu>
To: Ian Hickson <ian@hixie.ch>
CC: Simon Pieters <simonp@opera.com>, Cameron McCormack <cam@mcc.id.au>, public-webapps@w3.org, "public-script-coord@w3.org" <public-script-coord@w3.org>
On 4/2/12 5:54 PM, Ian Hickson wrote:
> My understanding is that security checks are only done for members of
> Document and Window objects.

That understanding certainly isn't correct as stated.  For example, 
security checks are done on at least some members of Location objects 
(e.g. you can write location.href cross-origin, but not read it).

But even past that, I believe the understanding doesn't reflect behavior 
of at least some implementations.  I can't speak to all of them; I 
haven't done extensive testing here.

That said, 
http://web.mit.edu/bzbarsky/www/testcases/effective-origin/test1.html 
has a testcase: Opera throws on the access after changing the origin to 
a different one.  Gecko does not right now, but I believe we're strongly 
considering changing that behavior.  Firefox versions up to Firefox 3 
did throw in this situation, for what it's worth.

> (In particular, I believe Opera was stricter, and that that caused compat
> issues. I don't see any security issues here.)

Interesting.  Opera still seems to have the "stricter" behavior, in my 
testing...

-Boris
Received on Monday, 2 April 2012 22:09:47 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:06 UTC