- From: Simon Pieters <simonp@opera.com>
- Date: Mon, 17 Jun 2013 14:00:42 +0200
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: Robert Kieffer <broofa@fb.com>, whatwg <whatwg@whatwg.org>, "Tab Atkins Jr." <jackalmage@gmail.com>, Ian Hickson <ian@hixie.ch>, Pablo Flouret <pablof@motorola.com>
On 6/17/13 1:44 PM, Boris Zbarsky wrote: > On 6/17/13 6:05 AM, Simon Pieters wrote: >> What's in CSSOM now is "tainting". > > Sort of. I think of tainting as "you can write to it but read from > it", but what's in CSSOM is "you can't touch it". True. In CSSOM, since writing can have observable effects depending on what the style sheet was originally, it's difficult to allow writing to it without exposing information about what was there originally. For instance, insertRule can throw depending on the current state of the style sheet, and deleteRule throws if the index is out of range. I guess it's possible to do nothing instead of throwing, but it seemed simpler to just not allow writing. In practice, you can just write to a new style sheet instead. > I guess the point is that whether you can touch or not is detected > statically at load time? Yes. > There needs to be some sort of dynamic check here in practice, since > extensions need to be able to touch these things even if the page > can't, but clearly that's out of scope of this specification. > >> It seems like the wrong model to use the effective script origin for >> stylesheets > > That's possible, yes. The default security checks in Gecko always use > effective script origin; a way to check the origin didn't even exist > until pretty recently. So any security check dating back far enough > always uses the effective script origin... OK. >> Now, the spec could either use tainting or it could compare the origin >> of the style sheet with the origin of the script that tries to access >> it. This would only be different in a case like this > > Yes, agreed. > >> Since this currently throws in Firefox, it's likely that there isn't a >> big Web compat problem to not support this. I think <canvas> doesn't >> support the equivalent thing, either, per spec (although a <canvas> is a >> bit different in that it can have lots of images drawn on it from >> different origins). > > Right, canvas has a tainting model where once you taint it no one can > read from it (modulo extensions) even though they can keep writing to > it, because trying to define an origin for such a thing would involve > having an actual origin lattice in the platform or something along > those lines. ;) > > In any case, I don't have a huge problem with what's in CSSOM right > now if it better matches what other UAs do. Finding resources to > change the Gecko behavior is another matter. :( OK, thanks. -- Simon Pieters Opera Software
Received on Monday, 17 June 2013 11:59:40 UTC