W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2012

Re: [whatwg] Location object identity and navigation behavior

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 20 Nov 2012 07:38:36 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Message-ID: <Pine.LNX.4.64.1211200733470.16964@ps20323.dreamhostps.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Matt Wobensmith <mwobensmith@mozilla.com>, Johnny Stenback <jst@mozilla.com>, Bobby Holley <bobbyholley@gmail.com>, Adam Barth <w3c@adambarth.com>
On Tue, 20 Nov 2012, Boris Zbarsky wrote:
> 
> All you need for script A to be able to call script B as the spec us 
> currently written is that sometime in the past the effective script 
> origin of A matched the effective script origin of some script C and 
> that at some point in the past (possibly a completely different point) 
> the effective script origin of B matched the effective script origin of 
> C (which may not have been the same at that point as when C matched A!).

I have great difficulty worrying about C accessing A. If you set 
document.domain and yet don't trust the other side, you've basically lost. 
Don't do that.

IMHO there's no point us trying to keep things locked down when you set 
document.domain. I'd be fine with making all the security checks still use 
the entry script's real origin, except that Window would now allow you 
access to stuff you didn't have access to before.


> I think the problem is that you're assuming invariants that just don't 
> hold. There is no current requirement in the spec that there be any 
> relationship between either the origin or effective script origin of the 
> entry script and the origins of the currently running script.

Because of document.domain. Yeah.

Man I wish we could just kill document.domain.


> > if you have both calling each other then you can almost certainly 
> > trick the script into doing what you want either way.
> 
> Who said anything about both calling each other?

If they're not calling each other, how are they both on the stack?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 20 November 2012 08:32:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT