[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
Boris Zbarsky
bzbarsky at MIT.EDU
Wed Jan 9 07:16:41 PST 2013
On 1/9/13 3:11 AM, Adam Barth wrote:
> I'm not convinced of that. I understand that Gecko need to deal with
> these complications because of a number of Mozilla-proprietary APIs,
Actually, what I'm talking about here has nothing to do with APIs but
everything to do with wanting to write web applications that have
slightly more privileges than your typical web page. Again, you may
want to talk to Jonas and Mounir for details.
> If and when features are added to
> the platform that cause these sorts of problems, we can deal with the
> consequences.
My argument is that we should not lock ourselves out of adding such
features in the future.
> In the mean time, I don't think we should force other
> browser engines to implement a more complicated security model than
> necessary for the platform as it stands.
I'm not saying we should force anyone to implement any particular
security model.
I'm saying we shouldn't design/spec things that become completely
insecure if the security model ever changes in any way and hence prevent
evolution of the security model. Which means that we should assume as
little as possible about what the security model guarantees us when
specifying things. In my opinion.
> This paragraph was too abstract for me to understand. Do you have a
> concrete example?
For example, Ian's argument is that you can skip security checks in
various places because the security model does that already.
My counter-argument is that we should define the behavior of those
places by referencing the security model explicitly, so that if the
security model changes we won't have to hunt down all the places that
had implicit dependencies on it.
Does that make more sense?
>> Put another way, I think we have good evidence that the security model in
>> the spec, as well as that in every browser, Gecko included, is wrong in the
>> same sense that Newtonian mechanics is wrong. The problem is that we don't
>> know what our equivalent of special relativity is yet.
>
> I don't understand the analogy.
The current security model describes most common cases, but not some
edge cases (see above about a slightly-elevated-privileges web app that
can, say, touch nodes from one and only one different origin).
> More seriously, life gets complicated when you introduce an asymmetric
> access relation
I agree. I believe, however, that for many apps based on web technology
you in fact might need this. Again, Sicking and Mounir would know more.
https://bugzilla.mozilla.org/show_bug.cgi?id=734891 has some of the
things in it, but I'm not sure it's all of them.
> However, the open web platform contains only a symmetric access relation
Yes, I understand that's how it stands now. I'm questioning the
viability of this going forward, and especially questioning to what
extent we should be intentionally making it impossible to change away
from this model.
> and I intent to argue against any attempt to introduce an asymmetric access
That is, of course, your right. ;)
> Maybe I've lost the thread here, but I don't understand the problem
> you're trying to solve with this thread. The simplest solution is for
> contentDocument to return null when accessed from a different origin.
That's not enough. Window has the same problem: the "document" IDL
getter needs to check that you're allowed to get the document of the
relevant window, for example.
Is the check you describe for contentDocument based on origin or
effective script origin?
-Boris
More information about the whatwg
mailing list