[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Adam Barth w3c at adambarth.com
Wed Jan 9 14:19:55 PST 2013


On Wed, Jan 9, 2013 at 2:18 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 1/9/13 4:33 PM, Adam Barth wrote:
>> For what it's worth, that doesn't appear to be necessary for web
>> compatibility.  Any time WebKit would return a Document to a script in
>> another origin, WebKit returns null instead.
>
> The HTML spec requires that property access on documents use effective
> script origin for checks.
>
> Effective script origins are mutable.
>
> It is in fact possible to get your hands on a document in a different
> effective script origin in WebKit (thanks, document.domain).

Those checks are neither required for compatibility nor security.  The
spec might say to perform the checks, but they aren't needed to build
a secure, compatible browser.

Adam



More information about the whatwg mailing list