- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 8 Jan 2013 07:16:54 +0000 (UTC)
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: whatwg@lists.whatwg.org
On Tue, 8 Jan 2013, Boris Zbarsky wrote: > On 1/8/13 1:42 AM, Boris Zbarsky wrote: > >On 1/7/13 11:28 PM, Ian Hickson wrote: > > > The check is the same -- if the Document that is the "this" to which > > > the property is being applied doesn't match the origin of the script > > > that is doing the applying, throw SecurityError. > > Actually, that's not enough. You have to security-check arguments too. > Otherwise this: > > document.createTreeWalker(crossFrameDoc, etc); > > would be bad. (Note that right now the DOM spec fails to handle this, > which is about what I would expect out of people creating APIs, which is > why I would really prefer we define this on a low level where people > can't screw up by forgetting it.) I don't know about Document, but I can definitely think of APIs where it makes sense to be passing Window objects from other origins. (For example, one could imagine a PortCollection analogue for Window.postMessage() where you push the destination Window objects into an opaque object and then have the browser iterate over them.) I would be fine with an annotation on Document and Window that says that you can't pass them in as arguments when they're cross-origin except if the method's argument has itself been annotated with a "I know what I'm doing" marker. (Dunno how this would work with Location and Storage.) But if there's only one API that takes any of these four object types currently (I couldn't find any that took Document or Window in the HTML spec in a cursory look) then maybe it's not worth the bother. Wack a mole isn't _so_ bad if it's one mole a decade. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 8 January 2013 07:17:23 UTC