[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
ian at hixie.ch
Mon Jan 7 23:16:54 PST 2013
On Tue, 8 Jan 2013, Boris Zbarsky wrote:
> On 1/8/13 1:42 AM, Boris Zbarsky wrote:
> >On 1/7/13 11:28 PM, Ian Hickson wrote:
> > > The check is the same -- if the Document that is the "this" to which
> > > the property is being applied doesn't match the origin of the script
> > > that is doing the applying, throw SecurityError.
> Actually, that's not enough. You have to security-check arguments too.
> Otherwise this:
> document.createTreeWalker(crossFrameDoc, etc);
> would be bad. (Note that right now the DOM spec fails to handle this,
> which is about what I would expect out of people creating APIs, which is
> why I would really prefer we define this on a low level where people
> can't screw up by forgetting it.)
I don't know about Document, but I can definitely think of APIs where it
makes sense to be passing Window objects from other origins. (For example,
one could imagine a PortCollection analogue for Window.postMessage() where
you push the destination Window objects into an opaque object and then
have the browser iterate over them.)
I would be fine with an annotation on Document and Window that says that
you can't pass them in as arguments when they're cross-origin except if
the method's argument has itself been annotated with a "I know what I'm
doing" marker. (Dunno how this would work with Location and Storage.)
But if there's only one API that takes any of these four object types
currently (I couldn't find any that took Document or Window in the HTML
spec in a cursory look) then maybe it's not worth the bother. Wack a mole
isn't _so_ bad if it's one mole a decade.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg