On Tue, 8 Jan 2013, Cameron McCormack wrote: > On 16/12/12 9:34 PM, David Bruant wrote: > > WebIDL needs to embed in some way the notion of origin to enable > > throwing for security reasons in the right places. > > > > One idea would be to add an [OriginAware] extended attribute: > > * On operations (like in Boris case), an origin check would be performed > > before calling the core of the operation > > Why would this need to be on specific operations and not just be > enforced on every operation?
Most things don't have an origin. Origin checks are only done in some very specific places where you try to get an object's properties; what we're saying here is that for those properties, you also need to do the check when you run the code behind those properties (e.g. call a method), against the "this". (Note: This is not what Gecko does. Some Mozilla people have been petitioning me to change the model in the spec to be more like Gecko's model.) > Is it that we want to avoid the overhead of origin checking if we know > that calling the operation does not leak information? Or it it that > only a limited set of objects is exposed cross origin anyway, so we only > need to check those? Both. > For the actual wording of the check, we could either have a "security > check" that is performed at the right time in #es-operations etc. and > which HTML defines to do the origin checking, or we can make Web IDL > aware of origins itself, and then HTML would define what origin > different objects come from. In the case of Location, it's not about the origin of the object, it's about the origin of the active Document of the Window. See the "Security" sections in the HTML spec for examples of what we have now (there's one for Window, one for Document, and one for Location -- I think that's it). -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'