Re: [XHR] Constructor behavior seems to be underdefined from Ian Hickson on 2012-04-02 (public-webapps@w3.org from April to June 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 2 Apr 2012 22:15:53 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
cc: Simon Pieters <simonp@opera.com>, Cameron McCormack <cam@mcc.id.au>, public-webapps@w3.org, "public-script-coord@w3.org" <public-script-coord@w3.org>
Message-ID: <Pine.LNX.4.64.1204022212110.17364@ps20323.dreamhostps.com>

On Mon, 2 Apr 2012, Boris Zbarsky wrote:
> On 4/2/12 5:54 PM, Ian Hickson wrote:
> > My understanding is that security checks are only done for members of
> > Document and Window objects.
> 
> That understanding certainly isn't correct as stated.  For example, 
> security checks are done on at least some members of Location objects 
> (e.g. you can write location.href cross-origin, but not read it).

Ah, yes, Location also has checks, you are correct. (Those are in the spec 
too, IIRC. Actually Location has some other security things like 
preventing you from overriding its setter or some such.)

> But even past that, I believe the understanding doesn't reflect behavior 
> of at least some implementations.  I can't speak to all of them; I 
> haven't done extensive testing here.
> 
> That said, 
> http://web.mit.edu/bzbarsky/www/testcases/effective-origin/test1.html 
> has a testcase: Opera throws on the access after changing the origin to 
> a different one.  Gecko does not right now, but I believe we're strongly 
> considering changing that behavior.  Firefox versions up to Firefox 3 
> did throw in this situation, for what it's worth.

Interesting. When speccing this stuff years ago, I do not recall coming 
across any browser other than Opera that had any security checks on 
objects other than the few that the spec talks about.

> > (In particular, I believe Opera was stricter, and that that caused 
> > compat issues. I don't see any security issues here.)
> 
> Interesting.  Opera still seems to have the "stricter" behavior, in my 
> testing...

I can believe that.

In general, unless there's a good security reason to do the checks, I 
think we'd be better off not doing them here. Having the checks can be 
expensive; it means at a minimum an extra pointer comparison and branch 
before each member access, which seems like a lot of expensive checking 
for something that really doesn't matter that much.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 2 April 2012 22:16:19 UTC