W3C home > Mailing lists > Public > public-script-coord@w3.org > October to December 2012

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Jonas Sicking <jonas@sicking.cc>
Date: Sat, 15 Dec 2012 17:33:01 -0800
Message-ID: <CA+c2ei_V1GAPBaWt5QpjLaGEM6Vh0Aa_Gc5ih8kJ_yZ9RJEH4w@mail.gmail.com>
To: "public-script-coord@w3.org" <public-script-coord@w3.org>
Cc: whatwg <whatwg@lists.whatwg.org>
An "easy" solution would be to just return null for .contentDocument
in the case of cross-origin iframes.

/ Jonas

On Sat, Dec 15, 2012 at 10:43 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Ccing whatwg because that's where the whole "origin" thing is currently
> defined.
>
> Consider this testcase:
>
> <iframe src="http://w3.org"></iframe><script>
> window.onload = function () {
>   try {
>     var doc = document.querySelector("iframe").contentDocument;
>     var list = document.getElementsByTagName.call(doc, "*");
>     alert(list.item(0).textContent);
>   } catch (e) {
>     alert(e);
>   }
> }</script>
>
> This throws in Safari, Chrome, Firefox, and Opera, all on the
> "getElementsByTagName.call" bit (except when loaded via file:// in Safari,
> in which case it actually lets you read all data from random website in the
> iframe).
>
> But I see nothing in the specs that requires this behavior, or indeed even
> allows it.  The security bits currently in the html spec talk about property
> access on cross-origin Document and Window, but in this case there is no
> property access happening on them per se...
>
> In any case, this needs to be defined somewhere.
>
> -Boris
Received on Sunday, 16 December 2012 01:33:59 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:08 UTC