On Thu, 1 Aug 2013, Boris Zbarsky wrote: > On 7/31/13 10:35 PM, Mark S. Miller wrote: > > This seems like a bad bug in the html5 spec. Is there any public > > discussion explaining why the currently speced behavior should be > > considered acceptable? > > "It's simple and implemented by the majority of UAs" is the main reason > as far as I can tell. Ian is not going to spec something people are > unwilling to implement, because that would make the spec pretty > useless... and I can definitely understand his position. The best way > to make progress here is to get UAs fixed.
Pretty much. Personally I'd like to drop document.domain entirely, but that's not going to fly any time soon. Note that it's not a bug, per se. There's no direct security benefit to cutting ties between two documents that used to be connected when you apply document.domain to disconnect them. It provides a defense in depth for the (likely, as it turns out) case where there's some other bug that means that two cross-origin pages can accidentally end up being considered same-origin for some reason and get hold of each other's objects, but if you assume that browser is implemented perfectly per spec (modulo some issues we're currently working to fix), you're not going to introduce any vulnerabilities by not doing this. document.domain and the effective script origin concept introduces all kinds of problems unrelated to security that it would be nice to get rid of. For example, they limit to what extent you can isolate pages into different processes, because you have to worry about the full set of origins that could ever become related by document.domain (the spec has the term "similar-origin" to handle this, in fact). Also, note that the Gecko approach to this isn't the only way to approach this defense-in-depth problem. Another way would be to do process isolation at the browsing context level (i.e. make it possible for iframes to be in their own process), and then have one process per group of similar-origin browsing contexts. That actually gets you closer to what the spec says (closer to the legacy model) than the Gecko approach, while still having a pretty solid defense against accidental leakage of cross-origin objects (arguably a stronger model, since you can actually prevent the entire process from having access to the data of other origins at the OS level, rather than just enforcing it at the JS level). -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
