[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
ian at hixie.ch
Wed Jan 9 13:28:02 PST 2013
On Wed, 9 Jan 2013, Adam Barth wrote:
> The Document interface (which is what we started this thread discussing)
> is never visible across origins and so does not have any of these
Actually Document objects can be visible across origins per spec, but none
of their properties ever are.
The four magic interfaces are Window, Document, Storage, and Location.
They each have slightly different magic.
But as far as this thread goes, the solution for all four is basically the
same; calling code on any of them should just run the same check as is run
when access properties on them.
I'm happy to spec this, but IMHO the right spec is for WebIDL to introduce
some hook I can use to make sure I catch all the relevant places. I don't
really want the HTML spec to enumerate all the things here like getters
and setters and methods and so forth that are relevant, I'd like it to
just hook all of them at once, providing the algorithm for each of the
above four interfaces, just like we do now for direct accesses.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg