W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 08 Jan 2013 01:46:27 -0500
Message-ID: <50EBC0C3.2050305@mit.edu>
To: whatwg@lists.whatwg.org
On 1/8/13 1:42 AM, Boris Zbarsky wrote:
 >On 1/7/13 11:28 PM, Ian Hickson wrote:
>> The check is the same -- if the Document that is the "this" to
>> which the property is being applied doesn't match the origin of the
>> script
>> that is doing the applying, throw SecurityError.

Actually, that's not enough.  You have to security-check arguments too. 
  Otherwise this:

   document.createTreeWalker(crossFrameDoc, etc);

would be bad.  (Note that right now the DOM spec fails to handle this, 
which is about what I would expect out of people creating APIs, which is 
why I would really prefer we define this on a low level where people 
can't screw up by forgetting it.)

-Boris
Received on Tuesday, 8 January 2013 06:46:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT