W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

Re: [whatwg] Location object identity and navigation behavior

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 20 Nov 2012 06:23:55 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Message-ID: <Pine.LNX.4.64.1211200618280.26354@ps20323.dreamhostps.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Matt Wobensmith <mwobensmith@mozilla.com>, Johnny Stenback <jst@mozilla.com>, Bobby Holley <bobbyholley@gmail.com>, Adam Barth <w3c@adambarth.com>
On Mon, 19 Nov 2012, Boris Zbarsky wrote:
> On 11/19/12 8:38 PM, Ian Hickson wrote:
> > For now I've tightened up the spec so it should be implementable, 
> > secure, and Web-compatible
> 
> I don't believe it's secure as currently written, actually.  Filed 
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=20012

Could you elaborate in the bug? I've no idea what you think is wrong.


> > I'm also curious as to why figuring out the "entry script"'s 
> > characteristics needs to use the stack introspection rather than just 
> > having an event-loop global "first script" variable
> 
> You can maintain a stack of entry scripts.  You can't use a global, 
> because you need to push and pop entry scripts as various things happen 
> (e.g. invoking event listeners sets the entry script to the event 
> listener function's script for the duration of the event listener 
> invocation).

The way the spec does it, the stack is implemented as the actual call 
stack, with nested calls to "jump to a code entry-point" storing the old 
value, updating the global, running the script, then restoring the global 
to the stored old value.


> There is no such stack of entry scripts in Gecko yet, but we're working 
> on changing that.
>
> The thing that _really_ requires stack introspection is when you need to 
> look at the caller script instead of the entry script.  Which is what 
> you need to do when performing Location security checks (or indeed, any 
> security checks).

Can you show an example of when that is needed?

As far as I can tell, the entry script always has the same origin as the 
running script. I guess this isn't necessarily true of the effective 
origin, which is what we're using for the Location object security? Is 
that the problem here?

If so, why don't we just make it be an origin check of the entry script 
instead of an effective origin check? If that would make it simpler for 
Gecko, that's fine by me. I don't really see why it would matter in this 
case anyway; if you have both calling each other then you can almost 
certainly trick the script into doing what you want either way.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 20 November 2012 07:50:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT