Re: [XHR] Constructor behavior seems to be underdefined

On 4/2/12 5:54 PM, Ian Hickson wrote:
> My understanding is that security checks are only done for members of
> Document and Window objects.

That understanding certainly isn't correct as stated.  For example, 
security checks are done on at least some members of Location objects 
(e.g. you can write location.href cross-origin, but not read it).

But even past that, I believe the understanding doesn't reflect behavior 
of at least some implementations.  I can't speak to all of them; I 
haven't done extensive testing here.

That said, 
http://web.mit.edu/bzbarsky/www/testcases/effective-origin/test1.html 
has a testcase: Opera throws on the access after changing the origin to 
a different one.  Gecko does not right now, but I believe we're strongly 
considering changing that behavior.  Firefox versions up to Firefox 3 
did throw in this situation, for what it's worth.

> (In particular, I believe Opera was stricter, and that that caused compat
> issues. I don't see any security issues here.)

Interesting.  Opera still seems to have the "stricter" behavior, in my 
testing...

-Boris

Received on Monday, 2 April 2012 22:09:47 UTC