[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
Boris Zbarsky
bzbarsky at MIT.EDU
Mon Jan 7 17:55:07 PST 2013
On 1/7/13 6:41 PM, Ian Hickson wrote:
> Most things don't have an origin.
Pretty much everything has an origin in practice: it's associated with
some Window, hence can be treated as having the same origin as that Window.
> Origin checks are only done in some very
> specific places where you try to get an object's properties; what we're
> saying here is that for those properties, you also need to do the check
> when you run the code behind those properties (e.g. call a method),
> against the "this".
I'm not quite sure we're talking about the same thing here. Can you
give an example of what you're thinking?
What _I'm_ thinking is that there needs to be a security check when
someone does
Document.prototype.getElementsByTagName.call(subframe.contentDocument).
This is not the same security check as the one performed by
subframe.contentDocument.getElementsByTagName (note lack of call; it
never gets that far in the cross-origin case). This is independent of
whether we're doing security checks on all property access or on some of
them.
>> Is it that we want to avoid the overhead of origin checking if we know
>> that calling the operation does not leak information? Or it it that
>> only a limited set of objects is exposed cross origin anyway, so we only
>> need to check those?
>
> Both.
Implementing different security models on the IDL level is a footgun of
enormous size. We should simply have IDL methods throw if called with
not-same-origin "this" or arguments, except for a whitelist. In my
opinion. Anything else is fragile and leads to security whack-a-mole.
Not that we can have the argument about which interfaces are subject to
this security check if you want to only limit it to some objects; or
example you could argue that this is only needed on Window, EventTarget,
Document, Node, and a few others. That's a separate argument from
whether the security checks for those interfaces should be opt-in or
opt-out.
-Boris
More information about the whatwg
mailing list