[Bug 22346] Security: Check origins when invoking a method, getter, or setter on an object using the property descriptor of another

# bugzilla at jessica.w3.org (4 years ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Ian 'Hixie' Hickson ian@hixie.ch changed:

       What    |Removed                     |Added

        Summary|Security: When invoking a   |Security: Check origins
               |method, getter, or setter   |when invoking a method,
               |on an object using the      |getter, or setter on an
               |property descriptor of      |object using the property
               |another, we need to do a    |descriptor of another
               |security check              |
Contact us to advertise here
# bugzilla at jessica.w3.org (3 years ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Ian 'Hixie' Hickson ian@hixie.ch changed:

       What    |Removed                     |Added

     Whiteboard|[v1]                        |blocked on deciding on
               |                            |overall security design in
               |                            |bug 20701
# bugzilla at jessica.w3.org (3 years ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Tobias Braun Tobias-Braun1004@gmx.de changed:

       What    |Removed                     |Added

     Depends on|                            |26745
# bugzilla at jessica.w3.org (2 years ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

focus.nca.vii@gmail.com changed:

       What    |Removed                     |Added

          Flags|                            |needinfo?
# bugzilla at jessica.w3.org (2 years ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Anne annevk@annevk.nl changed:

       What    |Removed                     |Added

     Depends on|26745                       |

Referenced Bugs:

www.w3.org/Bugs/Public/show_bug.cgi?id=26745 [Bug 26745] Security: Redesign how cross-origin-visible objects work (Location, Window)

# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Michael[tm] Smith mike@w3.org changed:

       What    |Removed                     |Added

          Flags|needinfo?                   |
# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

--- Comment #13 from Anne annevk@annevk.nl ---

The section Implement IDL's "perform a security check" of annevk/html-cross-origin-objects#implement attempts to solve this.

The only remaining issue is Window vs WindowProxy. I'm not entirely sure how to resolve that. bz, heycam, ideas?

# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Anne annevk@annevk.nl changed:

       What    |Removed                     |Added

             CC|                            |contributor@whatwg.org

--- Comment #14 from Anne annevk@annevk.nl --- Bug 27212 has been marked as a duplicate of this bug.

# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

--- Comment #15 from Boris Zbarsky bzbarsky@mit.edu ---

IDL needs to have a concept of WindowProxy, which it doesn't right now. There's some rambling but relevant discussion in bug 27128.

The right behavior, imo, is for methods/getters/setters that expect a Window or some interface Window inherits from (in practice just EventTarget) to extract the underlying Window from a WindowProxy "this" before performing the security check bits.

# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

--- Comment #16 from Anne annevk@annevk.nl ---

Okay, I think it would be best then if Window got the new internal slots, [[crossOriginProperties]] and [[crossOriginPropertyDescriptorMap]], rather than WindowProxy.

# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

--- Comment #17 from Boris Zbarsky bzbarsky@mit.edu ---

Would that do the right thing in the face of navigations? In particular, when navigation happens, what should happen to those slots?

# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

--- Comment #18 from Anne annevk@annevk.nl ---

I'm not sure what the right behavior is. I wish I was a little more confident, but I'm mostly still struggling with the material here.

For crossOriginProperties it seems problematic since the active document changes which means that certain named properties need to change too ("the browsing context name of any child browsing context of the active document whose name is not the empty string"). Not sure about the map.

Would it be better to store this on Document, along with all the other "global" state we store there?

# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

--- Comment #19 from Boris Zbarsky bzbarsky@mit.edu ---

That depends on what the behavior should be across document.open() and navigations from initial about:blank to a same-origin document, right?

Please talk to bholley about what needs to happen with the map and crossOriginProperties on navigation; I don't really have that paged in right now. :(

# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Anne annevk@annevk.nl changed:

       What    |Removed                     |Added

             CC|                            |bobbyholley@gmail.com
          Flags|                            |needinfo?(bobbyholley@gmail
               |                            |.com)

--- Comment #20 from Anne annevk@annevk.nl ---

Bobby, see comment 13 onwards.

# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Bobby Holley (:bholley) bobbyholley@gmail.com changed:

       What    |Removed                     |Added

          Flags|needinfo?(bobbyholley@gmail |
               |.com)                       |

--- Comment #21 from Bobby Holley (:bholley) bobbyholley@gmail.com --- (In reply to Anne from comment #18)

I'm not sure what the right behavior is. I wish I was a little more confident, but I'm mostly still struggling with the material here.

Yeah it's pretty hard to keep all the bits in your head at once :-(

For crossOriginProperties it seems problematic since the active document changes which means that certain named properties need to change too ("the browsing context name of any child browsing context of the active document whose name is not the empty string").

Documents can modify this state of affairs all the time by creating and removing iframes, so that stuff needs to by dynamic in any case. So I think we can't store it in a slot. Watch out for code.google.com/p/chromium/issues/detail?id=237022 though.

Not sure about the map.

See below.

(In reply to Boris Zbarsky from comment #19)

That depends on what the behavior should be across document.open() and navigations from initial about:blank to a same-origin document, right?

Precisely. This is the only situation where it matters whether we store something on the document vs on the window.

Please talk to bholley about what needs to happen with the map and crossOriginProperties on navigation; I don't really have that paged in right now. :(

The map of property descriptors describes the descriptors that have been returned for the given ES Window and Location objects, which are per-global and thus per-Window. So this needs to live on the Window, I think.

# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346 Bug 22346 depends on bug 20701, which changed state.

Bug 20701 Summary: Security: Redesign how cross-origin-visible objects work (Location, Window) www.w3.org/Bugs/Public/show_bug.cgi?id=20701

       What    |Removed                     |Added

         Status|NEW                         |RESOLVED
     Resolution|---                         |MOVED
# bugzilla at jessica.w3.org (a year ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Anne annevk@annevk.nl changed:

       What    |Removed                     |Added

         Status|ASSIGNED                    |RESOLVED
     Resolution|---                         |MOVED
       Assignee|ian@hixie.ch                |annevk@annevk.nl

--- Comment #22 from Anne annevk@annevk.nl --- whatwg/html#638

# bugzilla at jessica.w3.org (3 months ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Qaiser q.punkx@gmail.com changed:

       What    |Removed                     |Added

     Depends on|                            |30073

Referenced Bugs:

www.w3.org/Bugs/Public/show_bug.cgi?id=30073 [Bug 30073] Security: Redesign how cross-origin-visible objects work (Location, Window)

# bugzilla at jessica.w3.org (3 months ago)

www.w3.org/Bugs/Public/show_bug.cgi?id=22346

Michael[tm] Smith mike@w3.org changed:

       What    |Removed                     |Added

     Depends on|30073                       |

Referenced Bugs:

www.w3.org/Bugs/Public/show_bug.cgi?id=30073 [Bug 30073] Security: Redesign how cross-origin-visible objects work (Location, Window)

Want more features?

Request early access to our private beta of readable email premium.