W3C home > Mailing lists > Public > public-script-coord@w3.org > April to June 2013

resolving references when object from other security context is in scope

From: Hallvord Reiar M. Steen <hallvord@opera.com>
Date: Fri, 07 Jun 2013 13:27:44 +0200
To: public-script-coord@w3.org
Message-ID: <op.wya3gioix2oafe@hr-opera.guest-int.opera.com>
Hi,
I'm trying to settle on pass conditions for a test probing the  
implementation's same-origin policy.This might be the right mailing list  
for this question..

The browsers I test with differ and I'm not sure if this is covered by any  
spec, so it's a bit hard to decide what the right pass condition is. This  
is the issue:

* Given a HTML document with an IFRAME tag which has content from a  
different origin
* Given that the IFRAME defines global variables and methods 'foo' and  
'bar'

what happens if I do

with(iframe.contentWindow){
	foo = 'rewritten';
	bar();
}

..is not a problem. All browsers throw, as they should.

But what should happen here?

var variableInParent=1;
with(iframe.contentWindow){
	variableInParent++;
}

In this case, some browsers throw and some browsers permit referencing the  
variable in the global scope.

Also, defining new variables in the with block that previously exist  
neither in the global scope nor in the IFRAME's shows inconsistency across  
browsers:

with(iframe.contentWindow){
	previouslyUndefinedVariable='test';
}

Those browsers that throw for the second sample above also throw for this.  
(This does seem a bit concerning because in those browsers this can be  
used to spy on what *names* another site has defined in its JS. Just  
include target site in an IFRAME, try to define the variables you're  
looking for in an IFRAME - if it throws, you know the IFRAME does indeed  
define that variable..)

Is there any spec I can read to figure out what the right behaviour is?

-- 
Hallvord R. M. Steen
Core tester, Opera Software
Received on Friday, 7 June 2013 11:27:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:37:49 UTC