On 7/31/13 7:39 PM, Mark S. Miller wrote:
But does the html5 spec say anything about what is supposed to happen?
Hixie punted on this and specced the current WebKit/Trident/Presto behavior: the only security checks are on access to properties of Document and Window (modulo the Location weirdness) and if you get an object from another page before document.domain is set then you can do whatever you want to with that object and anything reachable from it until you walk through a Window or Document.
I've pointed out to him several that we (Gecko) are not likely to implement what he has specified, because it causes security problems as far as we're concerned. Furthermore, the ad-hoc security checks involved in the model hixie has specced are ... leaky. See http://lists.w3.org/Archives/Public/public-script-coord/2013AprJun/0621.html for an example, and we have privately reported other similar examples of cross-site information leakage to other browser vendors, even when document.domain is not involved.
-Boris _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
