Re: Defining secure-enough origins. from Mike West on 2014-08-22 (public-webappsec@w3.org from August 2014)

From: Mike West <mkwst@google.com>
Date: Fri, 22 Aug 2014 20:50:13 +0200
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAKXHy=eK6A94bsvyVYx2E+XebA_GFzZsN5iRPotORSJ9YG9HYw@mail.gmail.com>

Hrm. The two have similar properties, and should be treated similarly. More
to the point: I don't think there's any good justification for allowing
'javascript:' resources access to the kinds of APIs that we're talking
about restricting. I wouldn't be sad if sandboxing them into unique origins
prevented them from accessing such APIs.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Fri, Aug 22, 2014 at 7:43 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 8/22/14, 1:41 PM, Mike West wrote:
>
>> Thoughts about 'data:'? I don't really think doing taint-checking on
>> 'data:' URL navigations is worth it (or easily implementable).
>>
>
> What are you doing for javascript: ?
>
> Seems like that has the same problem as data:, except javascript: will
> automatically pick up the document URI of ... something (script entry
> point, unless you do it via setting @src, in which case it's the
> ownerDocument of the frame).
>
> -Boris
>
>

Received on Friday, 22 August 2014 18:51:02 UTC