W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 10 Jan 2013 22:29:02 -0800
Message-ID: <CAJE5ia8nJ_NHv6zLUSegev3qoLLDdFZE4OYcEfr4FJTMxTFrnw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: whatwg <whatwg@lists.whatwg.org>, Ian Hickson <ian@hixie.ch>
On Wed, Jan 9, 2013 at 8:21 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Adam, thank you for taking the time to put this together.  I really
> appreciate it.  There are lots of things here where we can converge behavior
> no matter what happens with other pieces of the platform.
>
> On 1/9/13 5:58 PM, Adam Barth wrote:
>>
>> Generally speaking, I'd recommend exposing as few things across
>> origins as possible.
>
> Yes, agreed.  For what it's worth, I believe Gecko recently made history not
> accessible cross-origin anymore, so with any luck you'll be able to make
> this change too if desired...

Do you have a link to the bug where that change was made?  It's
something I would definitely like to do if compatibility permits.
We'd probably start with a measurement experiment...

>> 6) In addition, the following APIs have extra security checks.  All
>> these APIs return a Node.  Before returning the Node, they check
>> whether the Node's document's origin is the same origin as the script
>> calling the API.  If not, they return null instead of the node.  (We
>> could potentially throw an exception here, but I'm just describing
>> what WebKit does, not what I think the optimum design is.)
>
> Returning null for these is probably fine.  I think I'd support making this
> list of things return null cross-origin.  Just to check, do you make this
> determination based on the origin or the effective script origin (in spec
> terms)?

The effective script origin.

Adam
Received on Friday, 11 January 2013 06:38:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT