[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
Adam Barth
w3c at adambarth.com
Thu Jan 10 22:29:02 PST 2013
On Wed, Jan 9, 2013 at 8:21 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> Adam, thank you for taking the time to put this together. I really
> appreciate it. There are lots of things here where we can converge behavior
> no matter what happens with other pieces of the platform.
>
> On 1/9/13 5:58 PM, Adam Barth wrote:
>>
>> Generally speaking, I'd recommend exposing as few things across
>> origins as possible.
>
> Yes, agreed. For what it's worth, I believe Gecko recently made history not
> accessible cross-origin anymore, so with any luck you'll be able to make
> this change too if desired...
Do you have a link to the bug where that change was made? It's
something I would definitely like to do if compatibility permits.
We'd probably start with a measurement experiment...
>> 6) In addition, the following APIs have extra security checks. All
>> these APIs return a Node. Before returning the Node, they check
>> whether the Node's document's origin is the same origin as the script
>> calling the API. If not, they return null instead of the node. (We
>> could potentially throw an exception here, but I'm just describing
>> what WebKit does, not what I think the optimum design is.)
>
> Returning null for these is probably fine. I think I'd support making this
> list of things return null cross-origin. Just to check, do you make this
> determination based on the origin or the effective script origin (in spec
> terms)?
The effective script origin.
Adam
More information about the whatwg
mailing list