Re: [w3c/browser-payment-api] Security hole in payment API when a constructor from a no longer active document is invoked (#361)

The WebSocket testcase isn't quite right.  You want this one: http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=4721

Note that that one does not throw in Chrome.  It does throw in Gecko, but a non-spec exception, because per websocket spec this situation should _not_ throw for websocket.  Maybe that's a flaw in the websocket spec; hard to tell.  I would think there is, because nothing obviously shuts down that websocket connection if it gets established!  I filed https://github.com/whatwg/html/issues/2153 on this.

But note that websocket doesn't seem to rely in any way on the active document of the browsing context of its global or anything like that, and there's no real spoofing risk there either.  So at least it's not a security issue.

> However I can't find where in WebIDL it says to "perform a security check" for constructors

Perform a security check against what object, exactly?

> Is each constructor algorithm expected to do a security check

I don't think it's a matter of security checks at all.  It's a matter of active document checks.  And yes, constructors should perform those themselves, because some constructors may be perfectly fine to call in inactive documents, if we think it's ok to do anything at all in inactive documents.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/361#issuecomment-265814366

Received on Thursday, 8 December 2016 18:23:39 UTC