- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 25 Jun 2012 21:52:36 -0400
- To: Ian Hickson <ian@hixie.ch>
- CC: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
On 6/25/12 7:13 PM, Ian Hickson wrote: > It can load A in an iframe. Ah, fair. So yes, reflecting random markup off the server is bad. ;) >> No, they do security checks at Window boundaries. You're saying that >> authors should assume those security checks are not there. But they >> are, precisely to provide _some_ protection. > > But you're arguing this protection is essentially worthless No, I'm arguing this protection is hard to work with. That's not the same thing. _You_ are arguing it's worthless. > so it's not clear to me why it's worthwhile enough that only providing it doesn't > break the Web but worthwhile little enough that only providing it would > break the Web. I think you misunderstood. I think providing no protection at all would break the web. I think providing what's in the spec now makes some existing things work and makes it _possible_ to write pages that are safe but very difficult to do so. I think doing security checks (if needed; note that a UA can optimize many of these away for actual same-origin access) on a larger set of objects would make it _easier_ to write pages that are safe (though not completely foolproof, as your markup reflection example points out). > It seems like if we're going to advocate anything to authors, the thing to > advocate is "forget about document.domain altogether". Sure. We should do that too. I don't expect authors to stop using it altogether. -Boris
Received on Tuesday, 26 June 2012 01:53:14 UTC