W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 14 Jan 2013 17:34:31 -0800
Message-ID: <CA+c2ei-w5eBwhusRy0VTsdz+EfXZFuYuU2_RyPrC0KDimCA-pQ@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>
On Jan 9, 2013 11:59 PM, "Adam Barth" <w3c@adambarth.com> wrote:

> To gather this information, I grepped the WebKit IDL files for
> "CheckSecurity".  Here's what I learned:
[snip]

I see no mention of document.domain handling in your description.

How do you handle the case when script from one Window grabs a Node from
another Window and then the document of one of the two Windows change its
document.domain property?

Also, in another email you mentioned that you had managed to implement the
security restrictions on the Window object as a white-list rather than a
black list by marking some interfaces as "needs same-origin checks" and
then listing the functions that don't need it.

Does this mean that you mark all interfaces that are implemented by the
Window and Location objects as "needs security checks"? Including
EventTarget?

/ Jonas
Received on Tuesday, 15 January 2013 01:34:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT