domenic at domenicdenicola.com (2013-08-09T20:16:22.544Z)
On Wed, Jul 31, 2013 at 6:44 PM, Brendan Eich <brendan at mozilla.com> wrote: > You want me to read and interpret and digest it for ya? :-P (Sheepishly) well, uh, yeah. > Changing document.domain changes effective script origin, which affects > some but not all security judgments. Basically the old-school ones that > predate CORS; also images/media/fonts are not affected. But web compat > still requires content in connected windows w1 and w2, loaded from > foo.bar.com and baz.bar.com respectively, to be able to join origins at > bar.com. That's not the hard problem relevant to the current question. Given two frames both starting at foo.bar.com. While they're both there, their object graphs become arbitrarily entangled, which is as it should be. Then, one of them truncates to bar.com. Now they are separate origin iframes. What happens to their inter-frame pointers, which are now cross-origin pointers? In a membraneless browser, how are the newly-cross-origin pointers even distinguished from the same-origin pointers?
On Wed, Jul 31, 2013 at 6:44 PM, Brendan Eich <brendan at mozilla.com> wrote: > Mark S. Miller wrote: > >> >> >> http://www.whatwg.org/specs/**web-apps/current-work/** >> multipage/origin-0.html<http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html> >> >> So regarding this issue, what does it say? >> > > You want me to read and interpret and digest it for ya? :-P > (Sheepishly) well, uh, yeah. > > Changing document.domain changes effective script origin, which affects > some but not all security judgments. Basically the old-school ones that > predate CORS; also images/media/fonts are not affected. But web compat > still requires content in connected windows w1 and w2, loaded from > foo.bar.com and baz.bar.com respectively, to be able to join origins at > bar.com. That's not the hard problem relevant to the current question. Given two frames both starting at foo.bar.com. While they're both there, their object graphs become arbitrarily entangled, which is as it should be. Then, one of them truncates to bar.com. Now they are separate origin iframes. What happens to their inter-frame pointers, which are now cross-origin pointers? In a membraneless browser, how are the newly-cross-origin pointers even distinguished from the same-origin pointers? > > > /be > -- Cheers, --MarkM -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130731/0d413d8c/attachment.html>