Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

On Wed, Jan 9, 2013 at 12:23 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 1/9/13 3:12 PM, Adam Barth wrote:
>> As I've stated several times on this thread (any many times over the
>> years), my opinion is that we should not expose an asymmetric access
>> relation to the web platform.
>
> OK, let's agree to disagree on this one for now.
>
> Do we at least agree that this code:
>
>   window.addEventListener.call(otherWindow, "click", function() {});
>
> should throw if and only window and otherWindow are not same-origin (for
> some definition of same-origin, now that we have several different origins
> involved...)?

This example does not appear to throw an exception in Chrome.  It
appears to just returns undefined without doing anything (except
logging a security error to the debug console).

> And if we do, do we agree that this needs to be specified somewhere?

Yes, but this example is unrelated to the example you started this
thread with.  The WindowProxy and Location objects are special,
magical objects that work differently from other interfaces because
they are visible across origins.  The Document interface (which is
what we started this thread discussing) is never visible across
origins and so does not have any of these complexities.  Earlier in
this thread, you wrote that you didn't want to discuss Location:

---8<---
I'm not touching Location with a 10-foot pole.  That's all Bobby.  ;)
Seriously, though, fitting Location into any sort of security setup is
somewhat hard.
--->8---

The WindowProxy object is even more complex than the Location object.
I agree that fitting Location and WindowProxy into any sort of
security setup is difficult.  That's why I don't want to infect the
rest of the platform with their complexity.  (I again, I understand
that Gecko has already jumped of the cliff in this regard---I'm just
not interested in jump off as well.)

Adam

Received on Wednesday, 9 January 2013 21:13:45 UTC