[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Boris Zbarsky bzbarsky at MIT.EDU
Mon Jan 7 22:46:27 PST 2013

On 1/8/13 1:42 AM, Boris Zbarsky wrote:
 >On 1/7/13 11:28 PM, Ian Hickson wrote:
>> The check is the same -- if the Document that is the "this" to
>> which the property is being applied doesn't match the origin of the
>> script
>> that is doing the applying, throw SecurityError.

Actually, that's not enough.  You have to security-check arguments too. 
  Otherwise this:

   document.createTreeWalker(crossFrameDoc, etc);

would be bad.  (Note that right now the DOM spec fails to handle this, 
which is about what I would expect out of people creating APIs, which is 
why I would really prefer we define this on a low level where people 
can't screw up by forgetting it.)


More information about the whatwg mailing list