W3C home > Mailing lists > Public > public-script-coord@w3.org > October to December 2012

Need to define same-origin policy for WebIDL operations/getters/setters

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 15 Dec 2012 13:43:35 -0500
Message-ID: <50CCC4D7.8010206@mit.edu>
To: "public-script-coord@w3.org" <public-script-coord@w3.org>
CC: whatwg <whatwg@lists.whatwg.org>
Ccing whatwg because that's where the whole "origin" thing is currently 
defined.

Consider this testcase:

<iframe src="http://w3.org"></iframe><script>
window.onload = function () {
   try {
     var doc = document.querySelector("iframe").contentDocument;
     var list = document.getElementsByTagName.call(doc, "*");
     alert(list.item(0).textContent);
   } catch (e) {
     alert(e);
   }
}</script>

This throws in Safari, Chrome, Firefox, and Opera, all on the 
"getElementsByTagName.call" bit (except when loaded via file:// in 
Safari, in which case it actually lets you read all data from random 
website in the iframe).

But I see nothing in the specs that requires this behavior, or indeed 
even allows it.  The security bits currently in the html spec talk about 
property access on cross-origin Document and Window, but in this case 
there is no property access happening on them per se...

In any case, this needs to be defined somewhere.

-Boris
Received on Saturday, 15 December 2012 18:44:04 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:08 UTC