[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
bzbarsky at MIT.EDU
Wed Jan 9 20:21:51 PST 2013
Adam, thank you for taking the time to put this together. I really
appreciate it. There are lots of things here where we can converge
behavior no matter what happens with other pieces of the platform.
On 1/9/13 5:58 PM, Adam Barth wrote:
> Generally speaking, I'd recommend exposing as few things across
> origins as possible.
Yes, agreed. For what it's worth, I believe Gecko recently made history
not accessible cross-origin anymore, so with any luck you'll be able to
make this change too if desired...
> 6) In addition, the following APIs have extra security checks. All
> these APIs return a Node. Before returning the Node, they check
> whether the Node's document's origin is the same origin as the script
> calling the API. If not, they return null instead of the node. (We
> could potentially throw an exception here, but I'm just describing
> what WebKit does, not what I think the optimum design is.)
Returning null for these is probably fine. I think I'd support making
this list of things return null cross-origin. Just to check, do you
make this determination based on the origin or the effective script
origin (in spec terms)?
> I should also say that it's entirely possible we've screwed up our
> implementation of this security model. If you discover that we have,
> I'd prefer if you filed a security bug rather than telling the world
> on this public mailing list. :)
More information about the whatwg