W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] The problem of duplicate ID as a security issue

From: Ric Hardacre <whatwg@cycloid.f9.co.uk>
Date: Wed, 15 Mar 2006 10:10:08 +0000
Message-ID: <4417E800.4070707@cycloid.f9.co.uk>
>> Yes, I saw Ric's reply. A nice suggestion, but that implies <sandbox> 
>> is a documentElement by itself, or is it a DOMSandbox needing to be 
>> defined?
> Sandboxes are quite special things, so we'll need a DOMSandbox anyway. 
> But instead of adding things like getElementById() to the DOMSandbox 
> interface, I tend to make the "fake document" which is visible from 
> inside the sandbox a member of the sandbox itself. The call will look 
> like sandbox.document.getElementById().

I think that treating <sandbox> as a document object per-se may be a bit 
of overkill, from a coding perspective all it should take is for the 
implementing browser to flag a script as being contained within a 
sandbox, or not, psudeocode:

documentGetElementByIdWrapper( elementID )
    if( theScript.sandboxElement )
       return theScript.sandboxElement.getElementById( elementID );

    if( globalDocumentElement )
       return globalDocumentElement.getElementById( elementID );
    return null;

Ric Hardacre
Received on Wednesday, 15 March 2006 02:10:08 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC