[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
Ian Hickson
ian at hixie.ch
Wed Jan 9 16:47:52 PST 2013
On Wed, 9 Jan 2013, Anne van Kesteren wrote:
> On Tue, Jan 8, 2013 at 7:46 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> > Actually, that's not enough. You have to security-check arguments
> > too. Otherwise this:
> >
> > document.createTreeWalker(crossFrameDoc, etc);
> >
> > would be bad. (Note that right now the DOM spec fails to handle this,
> > which is about what I would expect out of people creating APIs, which
> > is why I would really prefer we define this on a low level where
> > people can't screw up by forgetting it.)
>
> You didn't file a bug on this I think. I did think HTML handled this
> already though which is why it is not addressed in the DOM
> specification.
If we can make Window.document and contentDocument on iframe, frame, and
object return "null" when cross-origin, we can drop the security checks on
Document and createTreeWalker(), as far as I can tell.
That would maybe simplify matters a little. It's an orthogonal move
relative to what bz has been advocating for in terms of what security
model we should have, and it's more like what Chrome has. But do Opera and
Microsoft want to go in that direction? I'm not over the moon about
changing the security model without more buy-in.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list