W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2013

Re: [whatwg] Adding crossorigin="" to more elements

From: Simon Pieters <simonp@opera.com>
Date: Mon, 17 Jun 2013 14:00:42 +0200
Message-ID: <51BEFA6A.6050600@opera.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Robert Kieffer <broofa@fb.com>, whatwg <whatwg@whatwg.org>, "Tab Atkins Jr." <jackalmage@gmail.com>, Ian Hickson <ian@hixie.ch>, Pablo Flouret <pablof@motorola.com>
On 6/17/13 1:44 PM, Boris Zbarsky wrote:
> On 6/17/13 6:05 AM, Simon Pieters wrote:
>> What's in CSSOM now is "tainting".
>
> Sort of.  I think of tainting as "you can write to it but read from 
> it", but what's in CSSOM is "you can't touch it".
True.

In CSSOM, since writing can have observable effects depending on what 
the style sheet was originally, it's difficult to allow writing to it 
without exposing information about what was there originally. For 
instance, insertRule can throw depending on the current state of the 
style sheet, and deleteRule throws if the index is out of range. I guess 
it's possible to do nothing instead of throwing, but it seemed simpler 
to just not allow writing. In practice, you can just write to a new 
style sheet instead.
> I guess the point is that whether you can touch or not is detected 
> statically at load time?
Yes.
> There needs to be some sort of dynamic check here in practice, since 
> extensions need to be able to touch these things even if the page 
> can't, but clearly that's out of scope of this specification.
>
>> It seems like the wrong model to use the effective script origin for
>> stylesheets
>
> That's possible, yes.  The default security checks in Gecko always use 
> effective script origin; a way to check the origin didn't even exist 
> until pretty recently.  So any security check dating back far enough 
> always uses the effective script origin...
OK.
>> Now, the spec could either use tainting or it could compare the origin
>> of the style sheet with the origin of the script that tries to access
>> it. This would only be different in a case like this
>
> Yes, agreed.
>
>> Since this currently throws in Firefox, it's likely that there isn't a
>> big Web compat problem to not support this. I think <canvas> doesn't
>> support the equivalent thing, either, per spec (although a <canvas> is a
>> bit different in that it can have lots of images drawn on it from
>> different origins).
>
> Right, canvas has a tainting model where once you taint it no one can 
> read from it (modulo extensions) even though they can keep writing to 
> it, because trying to define an origin for such a thing would involve 
> having an actual origin lattice in the platform or something along 
> those lines.  ;)
>
> In any case, I don't have a huge problem with what's in CSSOM right 
> now if it better matches what other UAs do.  Finding resources to 
> change the Gecko behavior is another matter.  :(
OK, thanks.

-- 
Simon Pieters
Opera Software
Received on Monday, 17 June 2013 11:59:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:22 UTC