[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Ian Hickson ian at hixie.ch
Wed Jan 9 16:47:52 PST 2013

On Wed, 9 Jan 2013, Anne van Kesteren wrote:
> On Tue, Jan 8, 2013 at 7:46 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> > Actually, that's not enough.  You have to security-check arguments 
> > too. Otherwise this:
> >
> >   document.createTreeWalker(crossFrameDoc, etc);
> >
> > would be bad.  (Note that right now the DOM spec fails to handle this, 
> > which is about what I would expect out of people creating APIs, which 
> > is why I would really prefer we define this on a low level where 
> > people can't screw up by forgetting it.)
> You didn't file a bug on this I think. I did think HTML handled this 
> already though which is why it is not addressed in the DOM 
> specification.

If we can make Window.document and contentDocument on iframe, frame, and 
object return "null" when cross-origin, we can drop the security checks on 
Document and createTreeWalker(), as far as I can tell.

That would maybe simplify matters a little. It's an orthogonal move 
relative to what bz has been advocating for in terms of what security 
model we should have, and it's more like what Chrome has. But do Opera and 
Microsoft want to go in that direction? I'm not over the moon about 
changing the security model without more buy-in.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list