W3C home > Mailing lists > Public > public-script-coord@w3.org > October to December 2012

Need to define same-origin policy for WebIDL operations/getters/setters

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 15 Dec 2012 13:43:35 -0500
Message-ID: <50CCC4D7.8010206@mit.edu>
To: "public-script-coord@w3.org" <public-script-coord@w3.org>
CC: whatwg <whatwg@lists.whatwg.org>
Ccing whatwg because that's where the whole "origin" thing is currently 

Consider this testcase:

<iframe src="http://w3.org"></iframe><script>
window.onload = function () {
   try {
     var doc = document.querySelector("iframe").contentDocument;
     var list = document.getElementsByTagName.call(doc, "*");
   } catch (e) {

This throws in Safari, Chrome, Firefox, and Opera, all on the 
"getElementsByTagName.call" bit (except when loaded via file:// in 
Safari, in which case it actually lets you read all data from random 
website in the iframe).

But I see nothing in the specs that requires this behavior, or indeed 
even allows it.  The security bits currently in the html spec talk about 
property access on cross-origin Document and Window, but in this case 
there is no property access happening on them per se...

In any case, this needs to be defined somewhere.

Received on Saturday, 15 December 2012 18:44:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:08 UTC