AC wrote: > Quick questions & comments. Thanks -- I will address minor comments by fixing them in a forthcoming revision on the wiki.
> * load/parse: when does parse return --- when the document is parsed, > when it is finished loading, or when the document is closed? If the > first, it is not clear to me why the stack is popped, or why the stack > is not needed for operations while the document is open. This model is simplified to use synchronous iframe sub-document fetching. So if the outer document contains an iframe whose src is fetched and parsed, the stack needs to be pushed again before the iframe content is parsed. > * canAccess/mapMeet(stack): I don't understand what windows are on the > stack. If load pops the window when done loading, there normally > wouldn't be more than one window on stack. In the model, script (inline only) tag contents are eval'ed using the top of stack global, as the document containing the scripts is parsed. You raise a good point. Today we parse an iframe src="http://bar.com"; included in a document loaded from "http://foo.com"; without bounding principals between the two origins. The stack is needed to handle nested iframes, but the rule for canAccess would use only the top window's principal, not mapMeet. This seems like a bug in the spec. The model stack really is meant to compress the JS control stack, where an arbitrary number of functions loaded in one window may nest, but when control flows into a function from another trust domain (typically cross-site by allAccess, e.g. location.href's setter or document.open being called), the model stack must grow by one entry, the global that owns the callee function (and its principal). So there are two different access checking modes based on the stack: loading, where only the top principal is used as subject principal; executing (either from an inline script, or from a button onclick handler, or from an a href="javascript:..." link click). I will work to separate the two modes. Our code today uses only the top principal in both modes, but we believe this is unsound. > If load doesn't pop window > until document is closed, then stack would grow when either a link > accessed or a subsidiary dialog/window is opened. Stack is popped at end of load() function. > Then I thought comma works like Javascript, but javascript > handling of comma is a little obscure to someone who hasn't used it: > var x = 2; x = ++x, 5*x; x > ---> returns first value 3, not 15, though > var x = 2; x = (++x, 5*x); x > --> returns last value, 15.] JS inherited C's comma operator, with lowest precedence and left-to-right evaluation. No tuples. I will work on standardizing/clarifying the spec language. /be _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
