W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 09 Jan 2013 17:24:34 -0500
Message-ID: <50EDEE22.7000609@mit.edu>
To: Adam Barth <w3c@adambarth.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Ian Hickson <ian@hixie.ch>
On 1/9/13 5:19 PM, Adam Barth wrote:
> Those checks are neither required for compatibility nor security.  The
> spec might say to perform the checks, but they aren't needed to build
> a secure, compatible browser.

OK.  So what checks do you believe are required, then?  Just effective 
script origin checks on Window?

I would really appreciate it if you would actually describe the security 
model you think the spec should have instead of us having to guess what 
parts you think are needed and which parts you think are not needed, 
with more gotchas and details all the time.

-Boris
Received on Wednesday, 9 January 2013 22:25:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT