[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
David Bruant
bruant.d at gmail.com
Sun Dec 16 02:34:33 PST 2012
Le 16/12/2012 02:33, Jonas Sicking a écrit :
> An "easy" solution would be to just return null for .contentDocument
> in the case of cross-origin iframes.
It might be a solution for the specific problem Boris showed, but he
described a more generic problem. For instance:
<iframe src="http://w3.org"></iframe>
<script>
window.onload = function () {
var docGetter = Object.getOwnPropertyDescriptor(window,
'document').get;
var win = document.querySelector("iframe").contentWindow;
var iframeDoc = docGetter.call(win);
}
</script>
This should blow up (and certainly do in engines where document is
reflected as an accessor), but per WebIDL, I think iframeDoc is the
iframe document regardless of the iframe origin. This is because the
attribute getter algorithm doesn't care about the origin which is what
Boris is worried about.
WebIDL needs to embed in some way the notion of origin to enable
throwing for security reasons in the right places.
One idea would be to add an [OriginAware] extended attribute:
* On operations (like in Boris case), an origin check would be performed
before calling the core of the operation
* On attributes, both the getter and setter would throw if "this" is not
of the right origin.
* On interfaces, it would apply to everything (might be necessary for
Window and Document)
David
>
> / Jonas
>
> On Sat, Dec 15, 2012 at 10:43 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
>> Ccing whatwg because that's where the whole "origin" thing is currently
>> defined.
>>
>> Consider this testcase:
>>
>> <iframe src="http://w3.org"></iframe><script>
>> window.onload = function () {
>> try {
>> var doc = document.querySelector("iframe").contentDocument;
>> var list = document.getElementsByTagName.call(doc, "*");
>> alert(list.item(0).textContent);
>> } catch (e) {
>> alert(e);
>> }
>> }</script>
>>
>> This throws in Safari, Chrome, Firefox, and Opera, all on the
>> "getElementsByTagName.call" bit (except when loaded via file:// in Safari,
>> in which case it actually lets you read all data from random website in the
>> iframe).
>>
>> But I see nothing in the specs that requires this behavior, or indeed even
>> allows it. The security bits currently in the html spec talk about property
>> access on cross-origin Document and Window, but in this case there is no
>> property access happening on them per se...
>>
>> In any case, this needs to be defined somewhere.
>>
>> -Boris
More information about the whatwg
mailing list