W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 10 Jan 2013 00:47:52 +0000 (UTC)
To: Anne van Kesteren <annevk@annevk.nl>
Message-ID: <Pine.LNX.4.64.1301100042450.2101@ps20323.dreamhostps.com>
Cc: whatwg@lists.whatwg.org, Boris Zbarsky <bzbarsky@mit.edu>
On Wed, 9 Jan 2013, Anne van Kesteren wrote:
> On Tue, Jan 8, 2013 at 7:46 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> > Actually, that's not enough.  You have to security-check arguments 
> > too. Otherwise this:
> >
> >   document.createTreeWalker(crossFrameDoc, etc);
> >
> > would be bad.  (Note that right now the DOM spec fails to handle this, 
> > which is about what I would expect out of people creating APIs, which 
> > is why I would really prefer we define this on a low level where 
> > people can't screw up by forgetting it.)
> 
> You didn't file a bug on this I think. I did think HTML handled this 
> already though which is why it is not addressed in the DOM 
> specification.

If we can make Window.document and contentDocument on iframe, frame, and 
object return "null" when cross-origin, we can drop the security checks on 
Document and createTreeWalker(), as far as I can tell.

That would maybe simplify matters a little. It's an orthogonal move 
relative to what bz has been advocating for in terms of what security 
model we should have, and it's more like what Chrome has. But do Opera and 
Microsoft want to go in that direction? I'm not over the moon about 
changing the security model without more buy-in.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 January 2013 00:48:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT