[whatwg] comment on a part of the script execution spec, regarding not fully active documents

Hallvord R. M. Steen hallvord at opera.com
Wed Jun 22 08:51:35 PDT 2011


On Tue, 21 Jun 2011 23:42:32 +0900, Boris Zbarsky <bzbarsky at mit.edu> wrote:

> On 6/21/11 5:21 AM, Hallvord R. M. Steen wrote:
>> Another issue I noticed is in the text under the heading "the
>> javascript: URL scheme" - specifically the last "otherwise" part of the
>> text. This is about trying to navigate a window from a different origin
>> to a javascript: URL. Don't we expect a security exception here?
>
> I don't think so, no.
>
> In particular, this check needs to happen right before running the  
> script, which happens asynchronously, right?

Opera actually does a check earlier - there is an origin check if a script  
attempts to set location / location.href to a string that starts with  
javascript:. (This model is of course safe if the javascript: URL executes  
immediately. If there is any way to insert a predictable delay between the  
security check and the actual execution, a timing-sensitive XSS attack  
might be possible.)

> So at that point throwing a security exception doesn't make much sense...

Well, I somewhat disagree with the "doesn't make much sense" claim here  
;). It made sense to me to inform either the setting script or the script  
inside the javascript: URL itself of the problem by throwing an exception.  
However, I guess the latter is somewhat murky security-wise for little  
gain, and the former would mean throwing a new exception when most engines  
apparently haven't done so traditionally, so we should avoid that.

Summing up, I think HTML5 spec is OK as-is, and will report a bug to get  
us to align..

-- 
Hallvord R. M. Steen, Core Tester, Opera Software
http://www.opera.com http://my.opera.com/hallvors/



More information about the whatwg mailing list