[whatwg] comment on a part of the script execution spec, regarding not fully active documents
Hallvord R. M. Steen
hallvord at opera.com
Wed Jun 22 08:51:35 PDT 2011
On Tue, 21 Jun 2011 23:42:32 +0900, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 6/21/11 5:21 AM, Hallvord R. M. Steen wrote:
>> Another issue I noticed is in the text under the heading "the
>> text. This is about trying to navigate a window from a different origin
> I don't think so, no.
> In particular, this check needs to happen right before running the
> script, which happens asynchronously, right?
Opera actually does a check earlier - there is an origin check if a script
attempts to set location / location.href to a string that starts with
immediately. If there is any way to insert a predictable delay between the
security check and the actual execution, a timing-sensitive XSS attack
might be possible.)
> So at that point throwing a security exception doesn't make much sense...
Well, I somewhat disagree with the "doesn't make much sense" claim here
;). It made sense to me to inform either the setting script or the script
However, I guess the latter is somewhat murky security-wise for little
gain, and the former would mean throwing a new exception when most engines
apparently haven't done so traditionally, so we should avoid that.
Summing up, I think HTML5 spec is OK as-is, and will report a bug to get
us to align..
Hallvord R. M. Steen, Core Tester, Opera Software
More information about the whatwg