Re: Proposal: Security checks after same-origin revocation with document.domain

On Fri, 13 Apr 2012, Boris Zbarsky wrote:
> On 4/13/12 6:38 PM, Ian Hickson wrote:
> > > Actually, having revocation is very important in some scenarios; 
> > > otherwise you can't use document.domain securely at all.
> > 
> > Can you elaborate on that?
> 
> For example, if you have pages A and B at foo.example.com, and a page C 
> at bar.example.com, and A has any sort of way to get to B, and then both 
> A and C set document.domain to "example.com", then not revoking A's 
> access to B gives C access to B.  But B didn't opt in via setting 
> document.domain and may not be expecting access from C.
>
> As the spec is written right now, you can do this safely as long as A 
> (and that includes all libraries loaded by A and all browser extensions 
> that might interact with both B and A) is very careful to never hold 
> references to any objects from B except the Window and Document.
> If A screws this up (or if a browser extesion screws it up by injecting 
> a B object somewhere into A), it screws B over.

There's lots of other ways to screw it up, e.g. anything on 
foo.example.com that reflects HTML back, even if it checks the origin of 
the submitter, would end up letting B run code in A's origin, letting C do 
whatever it wants with B. Similarly, anything on any other port on any 
other subdomain of example.com can now access A and B. In general, authors 
should IMHO assume that if they've set document.domain to let another 
origin's pages access them, they've given access to the entire origin. If 
that's not acceptable, then they shouldn't use document.domain, but should 
instead use one of the more secure mechanisms like postMessage().

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 22 June 2012 23:07:34 UTC