[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Boris Zbarsky bzbarsky at MIT.EDU
Wed Jan 9 14:24:34 PST 2013

On 1/9/13 5:19 PM, Adam Barth wrote:
> Those checks are neither required for compatibility nor security.  The
> spec might say to perform the checks, but they aren't needed to build
> a secure, compatible browser.

OK.  So what checks do you believe are required, then?  Just effective 
script origin checks on Window?

I would really appreciate it if you would actually describe the security 
model you think the spec should have instead of us having to guess what 
parts you think are needed and which parts you think are not needed, 
with more gotchas and details all the time.


More information about the whatwg mailing list