W3C home > Mailing lists > Public > public-script-coord@w3.org > April to June 2012

Re: Proposal: Security checks after same-origin revocation with document.domain

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 13 Apr 2012 21:03:55 -0400
Message-ID: <4F88CCFB.8030209@mit.edu>
To: Ian Hickson <ian@hixie.ch>
CC: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
On 4/13/12 6:38 PM, Ian Hickson wrote:
>> Actually, having revocation is very important in some scenarios;
>> otherwise you can't use document.domain securely at all.
>
> Can you elaborate on that?

For example, if you have pages A and B at foo.example.com, and a page C 
at bar.example.com, and A has any sort of way to get to B, and then both 
A and C set document.domain to "example.com", then not revoking A's 
access to B gives C access to B.  But B didn't opt in via setting 
document.domain and may not be expecting access from C.

As the spec is written right now, you can do this safely as long as A 
(and that includes all libraries loaded by A and all browser extensions 
that might interact with both B and A) is very careful to never hold 
references to any objects from B except the Window and Document.  If A 
screws this up (or if a browser extesion screws it up by injecting a B 
object somewhere into A), it screws B over.

-Boris
Received on Saturday, 14 April 2012 01:04:27 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:06 UTC