W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 9 Jan 2013 21:28:02 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
Message-ID: <Pine.LNX.4.64.1301092124470.2101@ps20323.dreamhostps.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>
On Wed, 9 Jan 2013, Adam Barth wrote:
>
> The Document interface (which is what we started this thread discussing) 
> is never visible across origins and so does not have any of these 
> complexities.

Actually Document objects can be visible across origins per spec, but none 
of their properties ever are.

The four magic interfaces are Window, Document, Storage, and Location. 
They each have slightly different magic.

But as far as this thread goes, the solution for all four is basically the 
same; calling code on any of them should just run the same check as is run 
when access properties on them.

I'm happy to spec this, but IMHO the right spec is for WebIDL to introduce 
some hook I can use to make sure I catch all the relevant places. I don't 
really want the HTML spec to enumerate all the things here like getters 
and setters and methods and so forth that are relevant, I'd like it to 
just hook all of them at once, providing the algorithm for each of the 
above four interfaces, just like we do now for direct accesses.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 9 January 2013 21:28:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT