[whatwg/webidl] "attribute getter" steps skip security checks on namespaces (Issue #1133) from Tab Atkins Jr. on 2022-04-29 (public-webapps-github@w3.org from April 2022)

From: Tab Atkins Jr. <notifications@github.com>
Date: Fri, 29 Apr 2022 12:42:20 -0700
To: whatwg/webidl <webidl@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/webidl/issues/1133@github.com>

The [attribute getter algo](https://webidl.spec.whatwg.org/#dfn-attribute-getter) can be called with an interface or a namespace. However, step 1.1.2 only checks if the object is an interface; if it is, it does some security checks, and actually grabs the IDL value, so step 1.1.3 can invoke the getter steps for the attribute on it.

A namespace will fail that check, meaning "idlObject" is left as `null` (set in step 1.1.1), and then 1.1.3 invokes the getter steps for the namespace's attribute on `null`. This'll break spec algos that expect the `[=this=]` value to actually be the namespace object the attribute is defined on.

Is this intentional? Are namespaces not intended to be able to carry any internal state that an attribute getter might look at?  (And intended to be accessible cross-origin, since the security check is bypassed? Well, I suppose getting the namespace object from `Window` in the first place would fail, since none of the allowed [cross-origin properties](https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-)) are namespaces.)  If so, would you mind if I PR'd some editorial fixes that make it clear this is intentional rather than it just being a behavior that falls out of the algo?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/webidl/issues/1133
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/webidl/issues/1133@github.com>

Received on Friday, 29 April 2022 19:42:32 UTC