[whatwg] Location object identity and navigation behavior

Boris Zbarsky bzbarsky at MIT.EDU
Fri Nov 9 18:39:47 PST 2012


On 11/9/12 2:05 PM, Adam Barth wrote:
>   The approach we use in WebKit is quite simple---we just perform an
> access check before doing any sensitive operations.

The issue in Gecko, as I understand, is that security checks from C++ 
code require introspecting running JS to figure out what the right actor 
("subject") origin for the security check is.  This is somewhat fragile 
because it's easy to accidentally interpose other things that look like 
running JS between the caller and callee in many cases.  Note that this 
problem would be even worse for a self-hosted (implemented in JS) 
implementation of something like Location...

The upshot is that instead we aim to do security checks at points where 
control crosses from one origin to another, and use proxies to enforce 
the security invariants involved.

Bobby knows more about this than I do, so I'll let him correct any 
inaccuracies.

> This access check is required in any case because the underlying Location object is
> visible across origins.

In Gecko, it's actually not.  A proxy is visible.

One thing I'd like is some comment from Opera and Microsoft about what 
their situation is, since implementing what WebKit does would mean both 
of those changing.  This is probably the wrong venue to get hold of 
Microsoft for an official statement, sadly.  :(

-Boris


More information about the whatwg mailing list