Re: [w3c/permissions] Passing base dictionary wont work. (#59)

In https://github.com/w3c/permissions/issues/42#issuecomment-242774832 @jyasskin wrote:
> @jan-ivar Can you link to an explanation of the security claim? 

Gecko [implements some APIs in JavaScript](https://developer.mozilla.org/en-US/docs/Mozilla/Gecko/Script_security). We have a DOM membrane (compartments), but WebIDL bindings provide another layer of security by formalizing access, so mistakes are not made interrogating inputs in ways which could cause unintended side-effects.

`object` and `any` pose a special risk in that they put more burden on the implementer of each API to handle cross-compartment objects manually and with care. Specifically: avoiding accidentally executing potentially malicious JavaScript objects from privileged code (e.g. an innocent-looking getter may cause side-effects or manage to invoke malicious code directly).

As the prose in this spec is currently written, we can't implement it in JavaScript, which would be unusual. We'd need new support methods specifically to interrogate objects and convert them to safe dictionaries (which is doable, just more work).

Security aside, I think there's also a prevailing view that WebIDL was [designed around facilitating good API design only](https://github.com/w3c/webrtc-pc/issues/275#issuecomment-135278298), and conversely that something requiring prose and not fitting in could be a symptom of bad API design. This is a hygiene argument, though it fits my personal disdain for lateral APIs (though I sympathize with `.query` being hard to define without it. However, that sympathy does not extend to `.request` and `.revoke`, which attempt to replace already-correct domain-APIs without WebIDL problems).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/59#issuecomment-243578922