W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 07 Jan 2013 20:48:46 -0500
Message-ID: <50EB7AFE.9060104@mit.edu>
To: Cameron McCormack <cam@mcc.id.au>
Cc: whatwg <whatwg@lists.whatwg.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>, David Bruant <bruant.d@gmail.com>, Jonas Sicking <jonas@sicking.cc>
On 1/7/13 6:20 PM, Cameron McCormack wrote:
> Why would this need to be on specific operations and not just be
> enforced on every operation?

I believe Gecko currently enforces this sort of thing on every 
operation, for what it's worth.

> Or it it that only a limited set of objects is exposed
> cross origin anyway

The set of objects exposed is not particularly limited once 
document.domain gets involved.

Note that there is longstanding disagreemed on which cases of direct 
property access should perform same-origin checks.  Again, Gecko I 
believe does it for all but a whitelist of properties like Window.top 
and such.

> For the actual wording of the check, we could either have a "security
> check" that is performed at the right time in #es-operations etc. and
> which HTML defines to do the origin checking, or we can make Web IDL
> aware of origins itself, and then HTML would define what origin
> different objects come from.

For what it's worth, in Gecko the "is same origin" determination is one 
and the same as "implements an interface" determination: a cross-origin 
object simply claims to not implement any interfaces from the caller's 
point of view.

-Boris
Received on Tuesday, 8 January 2013 01:49:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT