On 1/7/13 6:41 PM, Ian Hickson wrote:
Most things don't have an origin.
Pretty much everything has an origin in practice: it's associated with
some Window, hence can be treated as having the same origin as that Window.
Origin checks are only done in some very
specific places where you try to get an object's properties; what we're
saying here is that for those properties, you also need to do the check
when you run the code behind those properties (e.g. call a method),
against the "this".
I'm not quite sure we're talking about the same thing here. Can you
give an example of what you're thinking?
What _I'm_ thinking is that there needs to be a security check when
someone does
Document.prototype.getElementsByTagName.call(subframe.contentDocument).
This is not the same security check as the one performed by
subframe.contentDocument.getElementsByTagName (note lack of call; it
never gets that far in the cross-origin case). This is independent of
whether we're doing security checks on all property access or on some of
them.
Is it that we want to avoid the overhead of origin checking if we know
that calling the operation does not leak information? Or it it that
only a limited set of objects is exposed cross origin anyway, so we only
need to check those?
Both.
Implementing different security models on the IDL level is a footgun of
enormous size. We should simply have IDL methods throw if called with
not-same-origin "this" or arguments, except for a whitelist. In my
opinion. Anything else is fragile and leads to security whack-a-mole.
Not that we can have the argument about which interfaces are subject to
this security check if you want to only limit it to some objects; or
example you could argue that this is only needed on Window, EventTarget,
Document, Node, and a few others. That's a separate argument from
whether the security checks for those interfaces should be opt-in or
opt-out.
-Boris
