Re: Fwd: Data uri origin inheritance from Boris Zbarsky on 2014-01-15 (www-dom@w3.org from January to March 2014)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 15 Jan 2014 12:31:13 -0500
To: www-dom@w3.org
Message-ID: <52D6C5E1.10509@mit.edu>

On 1/15/14 12:17 PM, João Eiras wrote:
> top.document.getElementsByTagName('iframe')[...].src="data:...";

OK.  That will alias the origin of top.document, yes.

>> But note that there are things other than origin that we may want
>> to inherit here.  For example, CSP settings.
>
> Hum... I did not understand the answer. Again "How can a script in B
> trigger a navigation in A while having a different origin? What's
> the setup between A and B ?"

One key issue is that the origin is _aliased_, not inherited.

So if A and B start off same-origin and then script in B does:

   A.getElementsByTagName('iframe')[0].contentWindow.location = "data:..."

then the load will alias the origin of B, not that of A.  Then if B sets
document.domain that will affect the document.domain of the subframe,
but if A sets it that will not affect the subframe.

And again, there is talk of aliasing the CSP, not just the origin, and
it's pretty clear that A and B can be same-origin but have different CSP.

> Well, that's what I said: C would tell A to navigate B (actually A is
> too much there, C would navigate B).

That's an important difference.  If C tells A to navigate B, B will
alias the origin of A. If C just navigates B itself, B will alias the
origin of C.

>> The use case for data: URIs aliasing origins at all?  Or for the
>> specific determination of which origin to alias when you're
>> navigated from JS and the callstack has stackframes from different
>> origins?
>
> The second question please. I think the first one is pretty standard
> and understood by now.

The origin that's used is the origin of the innermost stack frame,
basically.  What the spec is calling the "incumbent script".  That's
what usually gets used whenever you need to derive an origin from what
scripts are active...

Or is the question why the origin depends on the script at all?  What
other origin would you use?  Don't forget the case of windows opened
with window.open, not just subframes.

-Boris

Received on Wednesday, 15 January 2014 17:31:46 UTC