W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 10 Jan 2013 00:41:05 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Message-ID: <Pine.LNX.4.64.1301100039570.2101@ps20323.dreamhostps.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Adam Barth <w3c@adambarth.com>
On Wed, 9 Jan 2013, Boris Zbarsky wrote:
> On 1/9/13 4:33 PM, Adam Barth wrote:
> > For what it's worth, that doesn't appear to be necessary for web 
> > compatibility.  Any time WebKit would return a Document to a script in 
> > another origin, WebKit returns null instead.
> 
> The HTML spec requires that property access on documents use effective 
> script origin for checks.
> 
> Effective script origins are mutable.
> 
> It is in fact possible to get your hands on a document in a different 
> effective script origin in WebKit (thanks, document.domain).

Yeah but in that particular situation it's not a big deal to not have the 
security check as far as I can tell. So if we can just return null 
instead, it would allow us to remove those checks.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 January 2013 00:41:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT