- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 26 Jun 2012 02:08:42 +0000 (UTC)
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- cc: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
On Mon, 25 Jun 2012, Boris Zbarsky wrote: > On 6/25/12 7:13 PM, Ian Hickson wrote: > > It can load A in an iframe. > > Ah, fair. So yes, reflecting random markup off the server is bad. ;) So is taking references to nodes on other sensitive pages before changing your security context. :-) > > > No, they do security checks at Window boundaries. You're saying > > > that authors should assume those security checks are not there. > > > But they are, precisely to provide _some_ protection. > > > > But you're arguing this protection is essentially worthless > > No, I'm arguing this protection is hard to work with. That's not the > same thing. _You_ are arguing it's worthless. I wasn't really arguing anything more specific than "we don't value document.domain", but if I had to argue something, it would likely be that it's not that difficult to not screw this up, at least no harder than the many other equally dangerous things one must do, like correctly escaping HTML from user generated content. > I think providing what's in the spec now makes some existing things work > and makes it _possible_ to write pages that are safe but very difficult > to do so. > > I think doing security checks (if needed; note that a UA can optimize > many of these away for actual same-origin access) on a larger set of > objects would make it _easier_ to write pages that are safe (though not > completely foolproof, as your markup reflection example points out). I don't fundamentally object to adding these requirements, if everyone wants to implement them. After all, I'm going to spec whatever the browsers do, at the end of the day. But given that these problems only occur when you use document.domain, and given that document.domain is a security disaster waiting to happen even if we do this, I really don't see much point. I'd much rather have document.domain throw a big red warning in the console and advocate for its demise. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 26 June 2012 02:09:08 UTC