[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Adam Barth w3c at adambarth.com
Thu Jan 10 22:29:02 PST 2013


On Wed, Jan 9, 2013 at 8:21 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> Adam, thank you for taking the time to put this together.  I really
> appreciate it.  There are lots of things here where we can converge behavior
> no matter what happens with other pieces of the platform.
>
> On 1/9/13 5:58 PM, Adam Barth wrote:
>>
>> Generally speaking, I'd recommend exposing as few things across
>> origins as possible.
>
> Yes, agreed.  For what it's worth, I believe Gecko recently made history not
> accessible cross-origin anymore, so with any luck you'll be able to make
> this change too if desired...

Do you have a link to the bug where that change was made?  It's
something I would definitely like to do if compatibility permits.
We'd probably start with a measurement experiment...

>> 6) In addition, the following APIs have extra security checks.  All
>> these APIs return a Node.  Before returning the Node, they check
>> whether the Node's document's origin is the same origin as the script
>> calling the API.  If not, they return null instead of the node.  (We
>> could potentially throw an exception here, but I'm just describing
>> what WebKit does, not what I think the optimum design is.)
>
> Returning null for these is probably fine.  I think I'd support making this
> list of things return null cross-origin.  Just to check, do you make this
> determination based on the origin or the effective script origin (in spec
> terms)?

The effective script origin.

Adam



More information about the whatwg mailing list