- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Thu, 23 Jun 2011 00:51:35 +0900
On Tue, 21 Jun 2011 23:42:32 +0900, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 6/21/11 5:21 AM, Hallvord R. M. Steen wrote: >> Another issue I noticed is in the text under the heading "the >> javascript: URL scheme" - specifically the last "otherwise" part of the >> text. This is about trying to navigate a window from a different origin >> to a javascript: URL. Don't we expect a security exception here? > > I don't think so, no. > > In particular, this check needs to happen right before running the > script, which happens asynchronously, right? Opera actually does a check earlier - there is an origin check if a script attempts to set location / location.href to a string that starts with javascript:. (This model is of course safe if the javascript: URL executes immediately. If there is any way to insert a predictable delay between the security check and the actual execution, a timing-sensitive XSS attack might be possible.) > So at that point throwing a security exception doesn't make much sense... Well, I somewhat disagree with the "doesn't make much sense" claim here ;). It made sense to me to inform either the setting script or the script inside the javascript: URL itself of the problem by throwing an exception. However, I guess the latter is somewhat murky security-wise for little gain, and the former would mean throwing a new exception when most engines apparently haven't done so traditionally, so we should avoid that. Summing up, I think HTML5 spec is OK as-is, and will report a bug to get us to align.. -- Hallvord R. M. Steen, Core Tester, Opera Software http://www.opera.com http://my.opera.com/hallvors/
Received on Wednesday, 22 June 2011 08:51:35 UTC