W3C home > Mailing lists > Public > public-script-coord@w3.org > April to June 2012

Re: Proposal: Security checks after same-origin revocation with document.domain

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 13 Apr 2012 18:02:19 -0400
Message-ID: <4F88A26B.7040502@mit.edu>
To: Ian Hickson <ian@hixie.ch>
CC: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
On 4/13/12 5:56 PM, Ian Hickson wrote:
> On Fri, 13 Apr 2012, Bobby Holley wrote:
>>
>> I think this is suboptimal behavior. If we value revocation enough to
>> spec it [...]
>
> I don't think we do. It's only specced because that's what browsers did,
> and I try to spec what browsers do.

Actually, having revocation is very important in some scenarios; 
otherwise you can't use document.domain securely at all.

With the current spec setup you _can_ use it securely but only if you're 
incredibly careful in terms of what objects you page holds on to from 
before it set document.domain.  It's a bit of a footgun.

-Boris
Received on Friday, 13 April 2012 22:02:51 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:06 UTC