W3C home > Mailing lists > Public > public-script-coord@w3.org > July to September 2013

[Bug 22346] Security: When invoking a method, getter, or setter on an object using the property descriptor of another, we need to do a security check

From: <bugzilla@jessica.w3.org>
Date: Wed, 24 Jul 2013 17:30:23 +0000
To: public-script-coord@w3.org
Message-ID: <bug-22346-3890-Lsg0w78mmO@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Ian 'Hixie' Hickson <ian@hixie.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ian@hixie.ch

--- Comment #7 from Ian 'Hixie' Hickson <ian@hixie.ch> ---
I don't think this should apply to every object (note: bz contends otherwise,
understandably, because doing it everywhere is good defense in depth — but
currently, only Gecko does it everywhere, and unless the other browser vendors
are willing to change their security model to check this on every operation,
I'd rather not require it, since then we wouldn't match the majority of
reality).

Also, note that it's not all properties that are blocked; Window and Location
in particular allow some but disallow others.

I think the way to do this that most closely matches what most browsers do
would be to have a hook in the algorithms for methods, getters, and setters,
that checks if this particular object is a "secured object", and if it is,
invokes some hook that returns "ok" or "fail". Then, in HTML, I define the hook
as being what the spec says now for properties on these objects (Window, and
Location, primarily, but also Document - always "fail" if the origin is
different - and Storage).

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Wednesday, 24 July 2013 17:30:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:37:50 UTC