W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [XHR] security issue with spec's "same-origin" and the Document pointer

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 24 Nov 2008 20:58:00 +0000 (UTC)
To: "Hallvord R. M. Steen" <hallvord@opera.com>
Cc: Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org
Message-ID: <Pine.LNX.4.62.0811242056090.17414@hixie.dreamhostps.com>

On Mon, 24 Nov 2008, Hallvord R. M. Steen wrote:
> 
> The point is that there *is* no document pointer until you call the 
> constructur - per the spec. And once that script calls the constructor 
> and the document pointer is created, the associated window has a 
> different document in it from a different origin. Hence the document 
> pointer will reference a document from a different origin than the 
> script itself has, and same-origin comparisons will pass when they 
> should fail and vice versa.

Valid point; the XHR spec should use the "script document context" as the 
Document instead. Warning though, this part of the HTML5 spec is 
definitely unstable.

http://www.whatwg.org/specs/web-apps/current-work/#script-document-context

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 24 November 2008 20:58:38 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT