W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Cameron McCormack <cam@mcc.id.au>
Date: Tue, 08 Jan 2013 10:20:20 +1100
Message-ID: <50EB5834.50304@mcc.id.au>
To: David Bruant <bruant.d@gmail.com>
CC: Jonas Sicking <jonas@sicking.cc>, "public-script-coord@w3.org" <public-script-coord@w3.org>, whatwg <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@MIT.EDU>
On 16/12/12 9:34 PM, David Bruant wrote:
> WebIDL needs to embed in some way the notion of origin to enable
> throwing for security reasons in the right places.
>
> One idea would be to add an [OriginAware] extended attribute:
> * On operations (like in Boris case), an origin check would be performed
> before calling the core of the operation

Why would this need to be on specific operations and not just be 
enforced on every operation?  Is it that we want to avoid the overhead 
of origin checking if we know that calling the operation does not leak 
information?  Or it it that only a limited set of objects is exposed 
cross origin anyway, so we only need to check those?

> * On attributes, both the getter and setter would throw if "this" is not
> of the right origin.
> * On interfaces, it would apply to everything (might be necessary for
> Window and Document)


For the actual wording of the check, we could either have a "security 
check" that is performed at the right time in #es-operations etc. and 
which HTML defines to do the origin checking, or we can make Web IDL 
aware of origins itself, and then HTML would define what origin 
different objects come from.
Received on Monday, 7 January 2013 23:20:09 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:08 UTC