W3C home > Mailing lists > Public > public-script-coord@w3.org > April to June 2012

Re: Proposal: Security checks after same-origin revocation with document.domain

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 25 Jun 2012 21:52:36 -0400
Message-ID: <4FE915E4.5080703@mit.edu>
To: Ian Hickson <ian@hixie.ch>
CC: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
On 6/25/12 7:13 PM, Ian Hickson wrote:
> It can load A in an iframe.

Ah, fair.  So yes, reflecting random markup off the server is bad.  ;)

>> No, they do security checks at Window boundaries.  You're saying that
>> authors should assume those security checks are not there.  But they
>> are, precisely to provide _some_ protection.
>
> But you're arguing this protection is essentially worthless

No, I'm arguing this protection is hard to work with.  That's not the 
same thing.  _You_ are arguing it's worthless.

> so it's not clear to me why it's worthwhile enough that only providing it doesn't
> break the Web but worthwhile little enough that only providing it would
> break the Web.

I think you misunderstood.

I think providing no protection at all would break the web.

I think providing what's in the spec now makes some existing things work 
and makes it _possible_ to write pages that are safe but very difficult 
to do so.

I think doing security checks (if needed; note that a UA can optimize 
many of these away for actual same-origin access) on a larger set of 
objects would make it _easier_ to write pages that are safe (though not 
completely foolproof, as your markup reflection example points out).

> It seems like if we're going to advocate anything to authors, the thing to
> advocate is "forget about document.domain altogether".

Sure.  We should do that too.  I don't expect authors to stop using it 
altogether.

-Boris
Received on Tuesday, 26 June 2012 01:53:14 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:06 UTC