[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Boris Zbarsky bzbarsky at MIT.EDU
Wed Jan 9 20:21:51 PST 2013

Adam, thank you for taking the time to put this together.  I really 
appreciate it.  There are lots of things here where we can converge 
behavior no matter what happens with other pieces of the platform.

On 1/9/13 5:58 PM, Adam Barth wrote:
> Generally speaking, I'd recommend exposing as few things across
> origins as possible.

Yes, agreed.  For what it's worth, I believe Gecko recently made history 
not accessible cross-origin anymore, so with any luck you'll be able to 
make this change too if desired...

> 6) In addition, the following APIs have extra security checks.  All
> these APIs return a Node.  Before returning the Node, they check
> whether the Node's document's origin is the same origin as the script
> calling the API.  If not, they return null instead of the node.  (We
> could potentially throw an exception here, but I'm just describing
> what WebKit does, not what I think the optimum design is.)

Returning null for these is probably fine.  I think I'd support making 
this list of things return null cross-origin.  Just to check, do you 
make this determination based on the origin or the effective script 
origin (in spec terms)?

> I should also say that it's entirely possible we've screwed up our
> implementation of this security model.  If you discover that we have,
> I'd prefer if you filed a security bug rather than telling the world
> on this public mailing list.  :)

Indeed.  ;)


More information about the whatwg mailing list