W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 09 Jan 2013 23:21:51 -0500
Message-ID: <50EE41DF.8080009@mit.edu>
To: Adam Barth <w3c@adambarth.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Ian Hickson <ian@hixie.ch>
Adam, thank you for taking the time to put this together.  I really 
appreciate it.  There are lots of things here where we can converge 
behavior no matter what happens with other pieces of the platform.

On 1/9/13 5:58 PM, Adam Barth wrote:
> Generally speaking, I'd recommend exposing as few things across
> origins as possible.

Yes, agreed.  For what it's worth, I believe Gecko recently made history 
not accessible cross-origin anymore, so with any luck you'll be able to 
make this change too if desired...

> 6) In addition, the following APIs have extra security checks.  All
> these APIs return a Node.  Before returning the Node, they check
> whether the Node's document's origin is the same origin as the script
> calling the API.  If not, they return null instead of the node.  (We
> could potentially throw an exception here, but I'm just describing
> what WebKit does, not what I think the optimum design is.)

Returning null for these is probably fine.  I think I'd support making 
this list of things return null cross-origin.  Just to check, do you 
make this determination based on the origin or the effective script 
origin (in spec terms)?

> I should also say that it's entirely possible we've screwed up our
> implementation of this security model.  If you discover that we have,
> I'd prefer if you filed a security bug rather than telling the world
> on this public mailing list.  :)

Indeed.  ;)

-Boris
Received on Thursday, 10 January 2013 04:22:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT