[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

[Boris Zbarsky]

On 1/8/13 8:14 AM, Boris Zbarsky wrote:
> On 1/8/13 2:09 AM, Ian Hickson wrote:
>> In the spec's security model, origins are never relevant for elements
>> except when we're looking at the element's data.
>
> Yes.  I think the spec's security model is not viable long-term, for
> what it's worth, and think we should be designing a security model that
> is instead...

Just to clarify this.  You may want to talk to sicking and Mounir about 
what they discovered about security models in the course of getting 
partially-elevated-privileges web apps to work.

I suspect we'll need more of that sort of thing as time goes on.  Which 
means the security model will likely need to evolve.

Which in turn means that I believe we should not be designing APIs and 
other functionality around the current security model, especially if the 
dependency is non-obvious (and I would argue that any dependency not 
spelled out in the section describing the security model is non-obvious, 
because it's too easy to miss it when updating the security model). 
What I think we ahould be doing instead is designing with the assumption 
that some core set of things is true (and we can argue about what set 
that is), but making as few assumptions as possible in general.

Put another way, I think we have good evidence that the security model 
in the spec, as well as that in every browser, Gecko included, is wrong 
in the same sense that Newtonian mechanics is wrong.  The problem is 
that we don't know what our equivalent of special relativity is yet.

-Boris