Adam, thank you for taking the time to put this together. I really
appreciate it. There are lots of things here where we can converge
behavior no matter what happens with other pieces of the platform.
On 1/9/13 5:58 PM, Adam Barth wrote:
Generally speaking, I'd recommend exposing as few things across
origins as possible.
Yes, agreed. For what it's worth, I believe Gecko recently made history
not accessible cross-origin anymore, so with any luck you'll be able to
make this change too if desired...
6) In addition, the following APIs have extra security checks. All
these APIs return a Node. Before returning the Node, they check
whether the Node's document's origin is the same origin as the script
calling the API. If not, they return null instead of the node. (We
could potentially throw an exception here, but I'm just describing
what WebKit does, not what I think the optimum design is.)
Returning null for these is probably fine. I think I'd support making
this list of things return null cross-origin. Just to check, do you
make this determination based on the origin or the effective script
origin (in spec terms)?
I should also say that it's entirely possible we've screwed up our
implementation of this security model. If you discover that we have,
I'd prefer if you filed a security bug rather than telling the world
on this public mailing list. :)
Indeed. ;)
-Boris
