Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

On Wed, Jan 9, 2013 at 8:21 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Adam, thank you for taking the time to put this together.  I really
> appreciate it.  There are lots of things here where we can converge behavior
> no matter what happens with other pieces of the platform.
>
> On 1/9/13 5:58 PM, Adam Barth wrote:
>>
>> Generally speaking, I'd recommend exposing as few things across
>> origins as possible.
>
> Yes, agreed.  For what it's worth, I believe Gecko recently made history not
> accessible cross-origin anymore, so with any luck you'll be able to make
> this change too if desired...

Do you have a link to the bug where that change was made?  It's
something I would definitely like to do if compatibility permits.
We'd probably start with a measurement experiment...

>> 6) In addition, the following APIs have extra security checks.  All
>> these APIs return a Node.  Before returning the Node, they check
>> whether the Node's document's origin is the same origin as the script
>> calling the API.  If not, they return null instead of the node.  (We
>> could potentially throw an exception here, but I'm just describing
>> what WebKit does, not what I think the optimum design is.)
>
> Returning null for these is probably fine.  I think I'd support making this
> list of things return null cross-origin.  Just to check, do you make this
> determination based on the origin or the effective script origin (in spec
> terms)?

The effective script origin.

Adam

Received on Friday, 11 January 2013 06:38:58 UTC