W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 9 Jan 2013 14:19:55 -0800
Message-ID: <CAJE5ia-FRhCWv_pxpT=jP0TnRz5rQJyd-PVs40ti2o0TdJNF3Q@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: whatwg <whatwg@lists.whatwg.org>, Ian Hickson <ian@hixie.ch>
On Wed, Jan 9, 2013 at 2:18 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 1/9/13 4:33 PM, Adam Barth wrote:
>> For what it's worth, that doesn't appear to be necessary for web
>> compatibility.  Any time WebKit would return a Document to a script in
>> another origin, WebKit returns null instead.
>
> The HTML spec requires that property access on documents use effective
> script origin for checks.
>
> Effective script origins are mutable.
>
> It is in fact possible to get your hands on a document in a different
> effective script origin in WebKit (thanks, document.domain).

Those checks are neither required for compatibility nor security.  The
spec might say to perform the checks, but they aren't needed to build
a secure, compatible browser.

Adam
Received on Wednesday, 9 January 2013 22:20:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT