Re: Breaking the `opener` relationship. from Emily Stark on 2017-04-28 (public-webappsec@w3.org from April 2017)

From: Emily Stark <estark@google.com>
Date: Fri, 28 Apr 2017 07:23:29 -0700
To: Mike West <mkwst@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Artur Janc <aaj@google.com>, Alex Russell <slightlyoff@google.com>, Jonathan Watt <jwatt@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPP_2SbDWzewQZJDYwdfq1vh=F=dG0scAc1fdgDP4j=rUt+OTg@mail.gmail.com>

On Fri, Apr 28, 2017 at 1:39 AM, Mike West <mkwst@google.com> wrote:

> On Fri, Apr 28, 2017 at 10:26 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
>
>> On Fri, Apr 28, 2017 at 10:10 AM, Mike West <mkwst@google.com> wrote:
>> > `WindowProxy`'s `[[GetOwnProperty]]` uses
>> > https://html.spec.whatwg.org/#isplatformobjectsameorigin-(-o-): I'd
>> just
>> > stick with that as a determinant of the properties listed in
>> > https://html.spec.whatwg.org/#crossoriginproperties-(-o-).
>>
>> Wouldn't you then fail to address point 7 of the threat model?
>>
>
> I thought Emily's proposal prevented point 7 by preventing isolated pages
> from setting `document.domain`, but I don't see that in the doc. Emily, am
> I just making things up now? :)
>
> Filed https://github.com/WICG/isolation/issues/12 to discuss, as I'd
> prefer that approach to increasing the complexity of the `WindowProxy`
> checks themselves.
>

You're right, it's supposed to turn off document.domain but I hadn't gotten
around to it yet (https://github.com/WICG/isolation/issues/3)


>
> -mike
>

Received on Friday, 28 April 2017 14:24:22 UTC