On Jul 13, 2009, at 4:34 PM, Adam Barth wrote:
CVE-2009-1702 is an example of such as security hole. I'm sure that I
can find more if I look for them.
I think objects attached to the global object and accessible cross-
origin are a special case here. (The advisory cited is about Location
and History.) Values that can be accessed cross-origin are the most
likely locus for security issues in this area. And they also likely
need behavior that's different from the generally proposed pattern,
since revealing or allowing the mutation of home origin prototypes is
a security risk.
If security is one motivation for this work, then I'd like us to
understand the pattern we want to use for cross-origin-accessible
objects. Should they use the "home global object" prototype but
protect it from mutation or access to extended properties, should they
use the prototype of the referencing frame (lexical global object) or
something else?
Personally I am convinced that the answers to (3) and (C) are both
"yes",
and I don't know about any of the other points.
I can try to provide more information as best I can. Another option
is to make this change incrementally and assess the costs as we go.
For example, we could fix the SVG prototypes first.
Doing the change incrementally seems wise, if it is feasible to do so.
Maybe even a patch demonstrating how it would work for a single class
could be a good way to evaluate the change. Perhaps separate
trailblazing examples could be given for both an ordinary class and
one that is cross-origin accessible.
Regards,
Maciej
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
