[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Cameron McCormack cam at mcc.id.au
Mon Jan 7 15:20:20 PST 2013

On 16/12/12 9:34 PM, David Bruant wrote:
> WebIDL needs to embed in some way the notion of origin to enable
> throwing for security reasons in the right places.
> One idea would be to add an [OriginAware] extended attribute:
> * On operations (like in Boris case), an origin check would be performed
> before calling the core of the operation

Why would this need to be on specific operations and not just be 
enforced on every operation?  Is it that we want to avoid the overhead 
of origin checking if we know that calling the operation does not leak 
information?  Or it it that only a limited set of objects is exposed 
cross origin anyway, so we only need to check those?

> * On attributes, both the getter and setter would throw if "this" is not
> of the right origin.
> * On interfaces, it would apply to everything (might be necessary for
> Window and Document)

For the actual wording of the check, we could either have a "security 
check" that is performed at the right time in #es-operations etc. and 
which HTML defines to do the origin checking, or we can make Web IDL 
aware of origins itself, and then HTML would define what origin 
different objects come from.

More information about the whatwg mailing list