On 11/9/12 2:05 PM, Adam Barth wrote:
The approach we use in WebKit is quite simple---we just perform an
access check before doing any sensitive operations.
The issue in Gecko, as I understand, is that security checks from C++
code require introspecting running JS to figure out what the right actor
("subject") origin for the security check is. This is somewhat fragile
because it's easy to accidentally interpose other things that look like
running JS between the caller and callee in many cases. Note that this
problem would be even worse for a self-hosted (implemented in JS)
implementation of something like Location...
The upshot is that instead we aim to do security checks at points where
control crosses from one origin to another, and use proxies to enforce
the security invariants involved.
Bobby knows more about this than I do, so I'll let him correct any
inaccuracies.
This access check is required in any case because the underlying Location
object is
visible across origins.
In Gecko, it's actually not. A proxy is visible.
One thing I'd like is some comment from Opera and Microsoft about what
their situation is, since implementing what WebKit does would mean both
of those changing. This is probably the wrong venue to get hold of
Microsoft for an official statement, sadly. :(
-Boris
