[whatwg] comment on a part of the script execution spec, regarding not fully active documents
Hallvord R. M. Steen
hallvord at opera.com
Wed Jun 22 08:51:35 PDT 2011
On Tue, 21 Jun 2011 23:42:32 +0900, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 6/21/11 5:21 AM, Hallvord R. M. Steen wrote:
>> Another issue I noticed is in the text under the heading "the
>> javascript: URL scheme" - specifically the last "otherwise" part of the
>> text. This is about trying to navigate a window from a different origin
>> to a javascript: URL. Don't we expect a security exception here?
>
> I don't think so, no.
>
> In particular, this check needs to happen right before running the
> script, which happens asynchronously, right?
Opera actually does a check earlier - there is an origin check if a script
attempts to set location / location.href to a string that starts with
javascript:. (This model is of course safe if the javascript: URL executes
immediately. If there is any way to insert a predictable delay between the
security check and the actual execution, a timing-sensitive XSS attack
might be possible.)
> So at that point throwing a security exception doesn't make much sense...
Well, I somewhat disagree with the "doesn't make much sense" claim here
;). It made sense to me to inform either the setting script or the script
inside the javascript: URL itself of the problem by throwing an exception.
However, I guess the latter is somewhat murky security-wise for little
gain, and the former would mean throwing a new exception when most engines
apparently haven't done so traditionally, so we should avoid that.
Summing up, I think HTML5 spec is OK as-is, and will report a bug to get
us to align..
--
Hallvord R. M. Steen, Core Tester, Opera Software
http://www.opera.com http://my.opera.com/hallvors/
More information about the whatwg
mailing list