- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 9 Jan 2013 13:12:47 -0800
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: whatwg <whatwg@lists.whatwg.org>, Ian Hickson <ian@hixie.ch>
On Wed, Jan 9, 2013 at 12:23 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 1/9/13 3:12 PM, Adam Barth wrote: >> As I've stated several times on this thread (any many times over the >> years), my opinion is that we should not expose an asymmetric access >> relation to the web platform. > > OK, let's agree to disagree on this one for now. > > Do we at least agree that this code: > > window.addEventListener.call(otherWindow, "click", function() {}); > > should throw if and only window and otherWindow are not same-origin (for > some definition of same-origin, now that we have several different origins > involved...)? This example does not appear to throw an exception in Chrome. It appears to just returns undefined without doing anything (except logging a security error to the debug console). > And if we do, do we agree that this needs to be specified somewhere? Yes, but this example is unrelated to the example you started this thread with. The WindowProxy and Location objects are special, magical objects that work differently from other interfaces because they are visible across origins. The Document interface (which is what we started this thread discussing) is never visible across origins and so does not have any of these complexities. Earlier in this thread, you wrote that you didn't want to discuss Location: ---8<--- I'm not touching Location with a 10-foot pole. That's all Bobby. ;) Seriously, though, fitting Location into any sort of security setup is somewhat hard. --->8--- The WindowProxy object is even more complex than the Location object. I agree that fitting Location and WindowProxy into any sort of security setup is difficult. That's why I don't want to infect the rest of the platform with their complexity. (I again, I understand that Gecko has already jumped of the cliff in this regard---I'm just not interested in jump off as well.) Adam
Received on Wednesday, 9 January 2013 21:13:45 UTC