[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
bzbarsky at MIT.EDU
Mon Jan 7 17:48:46 PST 2013
On 1/7/13 6:20 PM, Cameron McCormack wrote:
> Why would this need to be on specific operations and not just be
> enforced on every operation?
I believe Gecko currently enforces this sort of thing on every
operation, for what it's worth.
> Or it it that only a limited set of objects is exposed
> cross origin anyway
The set of objects exposed is not particularly limited once
document.domain gets involved.
Note that there is longstanding disagreemed on which cases of direct
property access should perform same-origin checks. Again, Gecko I
believe does it for all but a whitelist of properties like Window.top
> For the actual wording of the check, we could either have a "security
> check" that is performed at the right time in #es-operations etc. and
> which HTML defines to do the origin checking, or we can make Web IDL
> aware of origins itself, and then HTML would define what origin
> different objects come from.
For what it's worth, in Gecko the "is same origin" determination is one
and the same as "implements an interface" determination: a cross-origin
object simply claims to not implement any interfaces from the caller's
point of view.
More information about the whatwg