Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters from Boris Zbarsky on 2013-01-08 (public-whatwg-archive@w3.org from January 2013)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 07 Jan 2013 20:55:07 -0500
To: whatwg@lists.whatwg.org
Message-ID: <50EB7C7B.4040802@mit.edu>

On 1/7/13 6:41 PM, Ian Hickson wrote:
> Most things don't have an origin.

Pretty much everything has an origin in practice: it's associated with 
some Window, hence can be treated as having the same origin as that Window.

> Origin checks are only done in some very
> specific places where you try to get an object's properties; what we're
> saying here is that for those properties, you also need to do the check
> when you run the code behind those properties (e.g. call a method),
> against the "this".

I'm not quite sure we're talking about the same thing here.  Can you 
give an example of what you're thinking?

What _I'm_ thinking is that there needs to be a security check when 
someone does 
Document.prototype.getElementsByTagName.call(subframe.contentDocument). 
  This is not the same security check as the one performed by 
subframe.contentDocument.getElementsByTagName (note lack of call; it 
never gets that far in the cross-origin case).  This is independent of 
whether we're doing security checks on all property access or on some of 
them.

>> Is it that we want to avoid the overhead of origin checking if we know
>> that calling the operation does not leak information?  Or it it that
>> only a limited set of objects is exposed cross origin anyway, so we only
>> need to check those?
>
> Both.

Implementing different security models on the IDL level is a footgun of 
enormous size.  We should simply have IDL methods throw if called with 
not-same-origin "this" or arguments, except for a whitelist.  In my 
opinion.  Anything else is fragile and leads to security whack-a-mole.

Not that we can have the argument about which interfaces are subject to 
this security check if you want to only limit it to some objects; or 
example you could argue that this is only needed on Window, EventTarget, 
Document, Node, and a few others.  That's a separate argument from 
whether the security checks for those interfaces should be opt-in or 
opt-out.

-Boris

Received on Tuesday, 8 January 2013 01:55:33 UTC