On Tue, 21 Jun 2011 23:42:32 +0900, Boris Zbarsky <bzbar...@mit.edu> wrote:
On 6/21/11 5:21 AM, Hallvord R. M. Steen wrote:
Another issue I noticed is in the text under the heading "the
javascript: URL scheme" - specifically the last "otherwise" part of the
text. This is about trying to navigate a window from a different origin
to a javascript: URL. Don't we expect a security exception here?
I don't think so, no.
In particular, this check needs to happen right before running the
script, which happens asynchronously, right?
Opera actually does a check earlier - there is an origin check if a script
attempts to set location / location.href to a string that starts with
javascript:. (This model is of course safe if the javascript: URL executes
immediately. If there is any way to insert a predictable delay between the
security check and the actual execution, a timing-sensitive XSS attack
might be possible.)
So at that point throwing a security exception doesn't make much sense...
Well, I somewhat disagree with the "doesn't make much sense" claim here
;). It made sense to me to inform either the setting script or the script
inside the javascript: URL itself of the problem by throwing an exception.
However, I guess the latter is somewhat murky security-wise for little
gain, and the former would mean throwing a new exception when most engines
apparently haven't done so traditionally, so we should avoid that.
Summing up, I think HTML5 spec is OK as-is, and will report a bug to get
us to align..
--
Hallvord R. M. Steen, Core Tester, Opera Software
http://www.opera.com http://my.opera.com/hallvors/
