[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Boris Zbarsky bzbarsky at MIT.EDU
Mon Jan 7 17:48:46 PST 2013

On 1/7/13 6:20 PM, Cameron McCormack wrote:
> Why would this need to be on specific operations and not just be
> enforced on every operation?

I believe Gecko currently enforces this sort of thing on every 
operation, for what it's worth.

> Or it it that only a limited set of objects is exposed
> cross origin anyway

The set of objects exposed is not particularly limited once 
document.domain gets involved.

Note that there is longstanding disagreemed on which cases of direct 
property access should perform same-origin checks.  Again, Gecko I 
believe does it for all but a whitelist of properties like Window.top 
and such.

> For the actual wording of the check, we could either have a "security
> check" that is performed at the right time in #es-operations etc. and
> which HTML defines to do the origin checking, or we can make Web IDL
> aware of origins itself, and then HTML would define what origin
> different objects come from.

For what it's worth, in Gecko the "is same origin" determination is one 
and the same as "implements an interface" determination: a cross-origin 
object simply claims to not implement any interfaces from the caller's 
point of view.


More information about the whatwg mailing list