- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 07 Jan 2013 20:48:46 -0500
- To: Cameron McCormack <cam@mcc.id.au>
- CC: David Bruant <bruant.d@gmail.com>, Jonas Sicking <jonas@sicking.cc>, "public-script-coord@w3.org" <public-script-coord@w3.org>, whatwg <whatwg@lists.whatwg.org>
On 1/7/13 6:20 PM, Cameron McCormack wrote: > Why would this need to be on specific operations and not just be > enforced on every operation? I believe Gecko currently enforces this sort of thing on every operation, for what it's worth. > Or it it that only a limited set of objects is exposed > cross origin anyway The set of objects exposed is not particularly limited once document.domain gets involved. Note that there is longstanding disagreemed on which cases of direct property access should perform same-origin checks. Again, Gecko I believe does it for all but a whitelist of properties like Window.top and such. > For the actual wording of the check, we could either have a "security > check" that is performed at the right time in #es-operations etc. and > which HTML defines to do the origin checking, or we can make Web IDL > aware of origins itself, and then HTML would define what origin > different objects come from. For what it's worth, in Gecko the "is same origin" determination is one and the same as "implements an interface" determination: a cross-origin object simply claims to not implement any interfaces from the caller's point of view. -Boris
Received on Tuesday, 8 January 2013 01:49:17 UTC