W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2011

[whatwg] Behavior when <script> is removed from DOM

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 8 Dec 2011 15:20:43 -0800
Message-ID: <CA+c2ei9N1ZSAEUnq2N8B1C2q0c5pm6Hf8KEdeRpFv+Y84MPm2g@mail.gmail.com>
On Thu, Dec 8, 2011 at 3:15 PM, Mark S. Miller <erights at google.com> wrote:
>
>
> On Thursday, December 8, 2011, Yehuda Katz wrote:
>>
>>
>> Yehuda Katz
>> (ph) 718.877.1325
>>
>>
>> On Thu, Dec 8, 2011 at 9:23 AM, Mark S. Miller <erights at google.com> wrote:
>>>
>>> Given only that the JSONP response has a ACCESS-CONTROL-ALLOW-ORIGIN:*
>>> header, the API you suggest below can be fully implemented as a library.
>>>
>>> Since any response that parses as JavaScript has no same origin
>>> protection anyway, rather than carve out a special case for JSONP, should we
>>> waive the?ACCESS-CONTROL-ALLOW-ORIGIN:* requirement on responses that parse
>>> as JavaScript for XHR requests in general? If not, what justifies carving
>>> out a special case for JSONP?
>>
>>
>> In the general case, executed JavaScript does not expose the content.
>
>
> The legacy content we're concerned with is written to work on ES3 browsers.
> By overriding "Object" and "Array", or by other subterfuge, you can corrupt
> an ES3 environment adequately to violate the confidentiality of scripts
> loaded later into the same frame. Anne Van Kesteren pointed out the only
> form of confidentiality we can be confident of in this context: comments
> (and whitespace and choice of internal variable names). Are these secrets
> worth giving up on the safety that could result from loading these scripts
> as data, so that we could then run them in a restricted manner (whether by
> translation, verification, or other tricks, e.g., SES)?

Yet browsers jump through hoops to not expose the contents of
cross-origin scripts in error messages and the like.

I would personally not be happy with Firefox exposing the contents of
any cross-origin resource just because it happened to parse as
javascript. Especially since JSON has become so popular as a mechanism
to load data from a same-origin server. I don't know how other browser
vendors feel.

This is why I used the strict definition of JSONP since such data can
irrefutably be loaded cross-origin in all versions of all popular
browsers.

/ Jonas
Received on Thursday, 8 December 2011 15:20:43 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:38 UTC