- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 2 Apr 2012 21:54:56 +0000 (UTC)
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- cc: Simon Pieters <simonp@opera.com>, Cameron McCormack <cam@mcc.id.au>, public-webapps@w3.org, "public-script-coord@w3.org" <public-script-coord@w3.org>
On Mon, 2 Apr 2012, Boris Zbarsky wrote: > On 4/2/12 2:50 AM, Simon Pieters wrote: > > I can find: > > > > "User agents must throw a SecurityError exception whenever any > > properties of a Document object are accessed by scripts whose effective > > script origin is not the same as the Document's effective script origin." > > http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#documents > > Yeah. That sort of language is needed somewhere for all objects, not just > Documents. Why? My understanding is that security checks are only done for members of Document and Window objects. If you have some other object already, then nothing stops you from accessing it if you change your effective origin after getting it. > > I don't know how well this matches reality though. > > Reasonably well, last I checked, for window and document. > > > It seems the spec forbids access to iframe.contentWindow.document but > > allows iframe.contentDocument. > > Yes. That's largely what implementations do... I believe the spec here is actually consistent with reality, indeed. (In particular, I believe Opera was stricter, and that that caused compat issues. I don't see any security issues here.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 2 April 2012 21:55:20 UTC