W3C home > Mailing lists > Public > www-dom@w3.org > January to March 2014

Re: Fwd: Data uri origin inheritance

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 15 Jan 2014 12:31:13 -0500
Message-ID: <52D6C5E1.10509@mit.edu>
To: www-dom@w3.org
On 1/15/14 12:17 PM, João Eiras wrote:
> top.document.getElementsByTagName('iframe')[...].src="data:...";

OK.  That will alias the origin of top.document, yes.

>> But note that there are things other than origin that we may want
>> to inherit here.  For example, CSP settings.
> Hum... I did not understand the answer. Again "How can a script in B
> trigger a navigation in A while having a different origin? What's
> the setup between A and B ?"

One key issue is that the origin is _aliased_, not inherited.

So if A and B start off same-origin and then script in B does:

   A.getElementsByTagName('iframe')[0].contentWindow.location = "data:..."

then the load will alias the origin of B, not that of A.  Then if B sets
document.domain that will affect the document.domain of the subframe,
but if A sets it that will not affect the subframe.

And again, there is talk of aliasing the CSP, not just the origin, and
it's pretty clear that A and B can be same-origin but have different CSP.

> Well, that's what I said: C would tell A to navigate B (actually A is
> too much there, C would navigate B).

That's an important difference.  If C tells A to navigate B, B will
alias the origin of A. If C just navigates B itself, B will alias the
origin of C.

>> The use case for data: URIs aliasing origins at all?  Or for the
>> specific determination of which origin to alias when you're
>> navigated from JS and the callstack has stackframes from different
>> origins?
> The second question please. I think the first one is pretty standard
> and understood by now.

The origin that's used is the origin of the innermost stack frame,
basically.  What the spec is calling the "incumbent script".  That's
what usually gets used whenever you need to derive an origin from what
scripts are active...

Or is the question why the origin depends on the script at all?  What
other origin would you use?  Don't forget the case of windows opened
with window.open, not just subframes.

Received on Wednesday, 15 January 2014 17:31:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 10:46:22 UTC