20012 2012-11-20 02:11:09 +0000 Security section of Location spec is all broken now 2012-11-20 07:45:29 +0000 1 1 1 Unclassified WHATWG HTML unspecified Other other RESOLVED FIXED http://www.whatwg.org/specs/web-apps/current-work/#security-3 P3 normal Unsorted 1 contributor ian bobbyholley bzbarsky ian mike w3c contributor oldest_to_newest 78503 0 contributor 2012-11-20 02:11:09 +0000 Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html Multipage: http://www.whatwg.org/C#security-3 Complete: http://www.whatwg.org/c#security-3 Comment: Security section of Location spec is all broken now Posted from: 173.48.81.109 by bzbarsky@mit.edu User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/19.0 Firefox/19.0 78504 1 bzbarsky 2012-11-20 02:12:03 +0000 Given http://html5.org/r/7513 doing security checks based on the associtated document just doesn't work. The security section needs to be changed to reflect reality... 78509 2 bzbarsky 2012-11-20 07:07:38 +0000 For example, reading .href on the location reads the URI of the "relevant Document". But the security checks are all done against the "associated Document", which is a totally different document, and might not be same-origin with the "relevant document". This trivially allows cross-origin location reads if actually implemented. 78511 3 ian 2012-11-20 07:44:55 +0000 Oh, right. The idea here is that you can access your own properties (e.g. to implement a shim for new features), but that you can't access the attributes that the spec defines if the URL is one you shouldn't be able to read. But ok, forget the shimmed properties while the document is cross-origin, we'll just block those. The real ones would be blocked anyway. 78512 4 contributor 2012-11-20 07:45:29 +0000 Checked in as WHATWG revision r7516. Check-in comment: Location's security model is actually different than Window's. http://html5.org/tools/web-apps-tracker?from=7515&to=7516