W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

Re: [whatwg] Location object identity and navigation behavior

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 09 Nov 2012 18:39:47 -0800
Message-ID: <509DBE73.7070109@mit.edu>
To: Adam Barth <w3c@adambarth.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Matt Wobensmith <mwobensmith@mozilla.com>, Bobby Holley <bobbyholley@gmail.com>, Johnny Stenback <jst@mozilla.com>
On 11/9/12 2:05 PM, Adam Barth wrote:
>   The approach we use in WebKit is quite simple---we just perform an
> access check before doing any sensitive operations.

The issue in Gecko, as I understand, is that security checks from C++ 
code require introspecting running JS to figure out what the right actor 
("subject") origin for the security check is.  This is somewhat fragile 
because it's easy to accidentally interpose other things that look like 
running JS between the caller and callee in many cases.  Note that this 
problem would be even worse for a self-hosted (implemented in JS) 
implementation of something like Location...

The upshot is that instead we aim to do security checks at points where 
control crosses from one origin to another, and use proxies to enforce 
the security invariants involved.

Bobby knows more about this than I do, so I'll let him correct any 
inaccuracies.

> This access check is required in any case because the underlying Location object is
> visible across origins.

In Gecko, it's actually not.  A proxy is visible.

One thing I'd like is some comment from Opera and Microsoft about what 
their situation is, since implementing what WebKit does would mean both 
of those changing.  This is probably the wrong venue to get hold of 
Microsoft for an official statement, sadly.  :(

-Boris
Received on Saturday, 10 November 2012 03:11:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT