- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 10 Jan 2013 22:29:02 -0800
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: whatwg <whatwg@lists.whatwg.org>, Ian Hickson <ian@hixie.ch>
On Wed, Jan 9, 2013 at 8:21 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > Adam, thank you for taking the time to put this together. I really > appreciate it. There are lots of things here where we can converge behavior > no matter what happens with other pieces of the platform. > > On 1/9/13 5:58 PM, Adam Barth wrote: >> >> Generally speaking, I'd recommend exposing as few things across >> origins as possible. > > Yes, agreed. For what it's worth, I believe Gecko recently made history not > accessible cross-origin anymore, so with any luck you'll be able to make > this change too if desired... Do you have a link to the bug where that change was made? It's something I would definitely like to do if compatibility permits. We'd probably start with a measurement experiment... >> 6) In addition, the following APIs have extra security checks. All >> these APIs return a Node. Before returning the Node, they check >> whether the Node's document's origin is the same origin as the script >> calling the API. If not, they return null instead of the node. (We >> could potentially throw an exception here, but I'm just describing >> what WebKit does, not what I think the optimum design is.) > > Returning null for these is probably fine. I think I'd support making this > list of things return null cross-origin. Just to check, do you make this > determination based on the origin or the effective script origin (in spec > terms)? The effective script origin. Adam
Received on Friday, 11 January 2013 06:38:58 UTC