Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters from David Bruant on 2012-12-16 (public-script-coord@w3.org from October to December 2012)

From: David Bruant <bruant.d@gmail.com>
Date: Sun, 16 Dec 2012 11:34:33 +0100
To: Jonas Sicking <jonas@sicking.cc>
CC: "public-script-coord@w3.org" <public-script-coord@w3.org>, whatwg <whatwg@lists.whatwg.org>
Message-ID: <50CDA3B9.3010008@gmail.com>

Le 16/12/2012 02:33, Jonas Sicking a écrit :
> An "easy" solution would be to just return null for .contentDocument
> in the case of cross-origin iframes.
It might be a solution for the specific problem Boris showed, but he 
described a more generic problem. For instance:

     <iframe src="http://w3.org"></iframe>
     <script>
     window.onload = function () {
         var docGetter = Object.getOwnPropertyDescriptor(window, 
'document').get;

         var win = document.querySelector("iframe").contentWindow;
         var iframeDoc = docGetter.call(win);
     }
     </script>

This should blow up (and certainly do in engines where document is 
reflected as an accessor), but per WebIDL, I think iframeDoc is the 
iframe document regardless of the iframe origin. This is because the 
attribute getter algorithm doesn't care about the origin which is what 
Boris is worried about.

WebIDL needs to embed in some way the notion of origin to enable 
throwing for security reasons in the right places.

One idea would be to add an [OriginAware] extended attribute:
* On operations (like in Boris case), an origin check would be performed 
before calling the core of the operation
* On attributes, both the getter and setter would throw if "this" is not 
of the right origin.
* On interfaces, it would apply to everything (might be necessary for 
Window and Document)

David

>
> / Jonas
>
> On Sat, Dec 15, 2012 at 10:43 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> Ccing whatwg because that's where the whole "origin" thing is currently
>> defined.
>>
>> Consider this testcase:
>>
>> <iframe src="http://w3.org"></iframe><script>
>> window.onload = function () {
>>    try {
>>      var doc = document.querySelector("iframe").contentDocument;
>>      var list = document.getElementsByTagName.call(doc, "*");
>>      alert(list.item(0).textContent);
>>    } catch (e) {
>>      alert(e);
>>    }
>> }</script>
>>
>> This throws in Safari, Chrome, Firefox, and Opera, all on the
>> "getElementsByTagName.call" bit (except when loaded via file:// in Safari,
>> in which case it actually lets you read all data from random website in the
>> iframe).
>>
>> But I see nothing in the specs that requires this behavior, or indeed even
>> allows it.  The security bits currently in the html spec talk about property
>> access on cross-origin Document and Window, but in this case there is no
>> property access happening on them per se...
>>
>> In any case, this needs to be defined somewhere.
>>
>> -Boris

Received on Sunday, 16 December 2012 10:35:08 UTC