Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

On Wed, Jan 9, 2013 at 2:18 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 1/9/13 4:33 PM, Adam Barth wrote:
>> For what it's worth, that doesn't appear to be necessary for web
>> compatibility.  Any time WebKit would return a Document to a script in
>> another origin, WebKit returns null instead.
>
> The HTML spec requires that property access on documents use effective
> script origin for checks.
>
> Effective script origins are mutable.
>
> It is in fact possible to get your hands on a document in a different
> effective script origin in WebKit (thanks, document.domain).

Those checks are neither required for compatibility nor security.  The
spec might say to perform the checks, but they aren't needed to build
a secure, compatible browser.

Adam

Received on Wednesday, 9 January 2013 22:20:52 UTC