- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 09 Jan 2013 23:21:51 -0500
- To: Adam Barth <w3c@adambarth.com>
- Cc: whatwg <whatwg@lists.whatwg.org>, Ian Hickson <ian@hixie.ch>
Adam, thank you for taking the time to put this together. I really appreciate it. There are lots of things here where we can converge behavior no matter what happens with other pieces of the platform. On 1/9/13 5:58 PM, Adam Barth wrote: > Generally speaking, I'd recommend exposing as few things across > origins as possible. Yes, agreed. For what it's worth, I believe Gecko recently made history not accessible cross-origin anymore, so with any luck you'll be able to make this change too if desired... > 6) In addition, the following APIs have extra security checks. All > these APIs return a Node. Before returning the Node, they check > whether the Node's document's origin is the same origin as the script > calling the API. If not, they return null instead of the node. (We > could potentially throw an exception here, but I'm just describing > what WebKit does, not what I think the optimum design is.) Returning null for these is probably fine. I think I'd support making this list of things return null cross-origin. Just to check, do you make this determination based on the origin or the effective script origin (in spec terms)? > I should also say that it's entirely possible we've screwed up our > implementation of this security model. If you discover that we have, > I'd prefer if you filed a security bug rather than telling the world > on this public mailing list. :) Indeed. ;) -Boris
Received on Thursday, 10 January 2013 04:22:20 UTC