[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Adam Barth w3c at adambarth.com
Mon Jan 14 17:42:00 PST 2013


On Mon, Jan 14, 2013 at 5:34 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> On Jan 9, 2013 11:59 PM, "Adam Barth" <w3c at adambarth.com> wrote:
>> To gather this information, I grepped the WebKit IDL files for
>> "CheckSecurity".  Here's what I learned:
> [snip]
>
> I see no mention of document.domain handling in your description.

Yeah, document.domain is no fun.  :)

> How do you handle the case when script from one Window grabs a Node from
> another Window and then the document of one of the two Windows change its
> document.domain property?

There isn't any code in WebKit that does anything special in this
situation.  Because there are no access checks for Node, the script
can continue to use the Node interface as before.

> Also, in another email you mentioned that you had managed to implement the
> security restrictions on the Window object as a white-list rather than a
> black list by marking some interfaces as "needs same-origin checks" and then
> listing the functions that don't need it.

Correct.

> Does this mean that you mark all interfaces that are implemented by the
> Window and Location objects as "needs security checks"? Including
> EventTarget?

In WebKit, neither Location nor Window implement any other interfaces.

Adam



More information about the whatwg mailing list