[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Ian Hickson ian at hixie.ch
Mon Jan 7 23:16:54 PST 2013


On Tue, 8 Jan 2013, Boris Zbarsky wrote:
> On 1/8/13 1:42 AM, Boris Zbarsky wrote:
> >On 1/7/13 11:28 PM, Ian Hickson wrote:
> > > The check is the same -- if the Document that is the "this" to which 
> > > the property is being applied doesn't match the origin of the script 
> > > that is doing the applying, throw SecurityError.
> 
> Actually, that's not enough.  You have to security-check arguments too. 
> Otherwise this:
> 
>   document.createTreeWalker(crossFrameDoc, etc);
> 
> would be bad.  (Note that right now the DOM spec fails to handle this, 
> which is about what I would expect out of people creating APIs, which is 
> why I would really prefer we define this on a low level where people 
> can't screw up by forgetting it.)

I don't know about Document, but I can definitely think of APIs where it 
makes sense to be passing Window objects from other origins. (For example, 
one could imagine a PortCollection analogue for Window.postMessage() where 
you push the destination Window objects into an opaque object and then 
have the browser iterate over them.)

I would be fine with an annotation on Document and Window that says that 
you can't pass them in as arguments when they're cross-origin except if 
the method's argument has itself been annotated with a "I know what I'm 
doing" marker. (Dunno how this would work with Location and Storage.)

But if there's only one API that takes any of these four object types 
currently (I couldn't find any that took Document or Window in the HTML 
spec in a cursory look) then maybe it's not worth the bother. Wack a mole 
isn't _so_ bad if it's one mole a decade.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list