27203 2014-10-31 08:09:51 +0000 Evaluate entry settings object usage 2016-06-15 19:27:53 +0000 1 1 1 Unclassified WHATWG HTML unspecified PC All RESOLVED MOVED blocked on dependencies P2 normal Unsorted 27204 1 annevk d bzbarsky d ian josh mike contributor oldest_to_newest 114305 0 annevk 2014-10-31 08:09:51 +0000 From bug 27196 comment 5 by bz: > I thing HTML is buggy if it's doing that. I just looked, and it looks like > it does it for the following (I'm ignoring things like referrers and base > URIs and whatnot, just looking at origins): > > 1) Canvas tainting bits. Does this actually match implementations? Does it > make sense to do it that way? > > 2) .frameElement, looking at effective script origins. This is not too > unreasonable, since effective script origins end up needing to match the > effective script origins of everything else you're dealing with, pretty > much, so it doesn't matter too much which settings object you use here. At > least in browsers that implement security membranes (which of course doesn't > match the HTML spec, but I consider that a bug in the HTML spec). > > 3) A check in replaceState which I'm totally unclear on. It claims to > restrict sandboxed content, but there's nothing to indicate that the entry > settings will be the sandboxed thing! > > 4) Location security checks. That stuff is all broken as written up right > now; see bug 20701. > > 5) Origin check in registerProtocolHandler. Again, it's not clear to me > why using the origin of the entry settings object is the right thing here. > I don't think it is. > > 6) Something in IsSearchProviderInstalled. > > 7) createImageBitmap. This is similar to canvas tainting. Except ignores > CORS? > > 8) For EventSource, setting the origin for CORS purposes to that of the > entry settings object. That makes no sense to me. > > 9) For websocket, checking the scheme of the origin of the entry settings > object, and using its origin in the websocket connection. > > 10) A sanity check that all origins match in postMessage. This part is not > too unreasonable. 114464 1 ian 2014-11-04 00:34:48 +0000 I'm unclear on what you want me to do here. 114475 2 annevk 2014-11-04 08:50:43 +0000 Per bug 27204 comment 1 we need to check whether these actually use the correct concept. 114574 3 ian 2014-11-06 00:36:35 +0000 I've checked these multiple times. By definition, anything in the spec is something I've checked; I don't write the spec blindly. :-) Is there someone else who would like to check them also? 114585 4 annevk 2014-11-06 08:39:39 +0000 From comment 0, #3 and #5 seem potentially problematic. I was hoping that we could revisit this list once we dealt with bug 27204. 126780 5 d 2016-06-15 19:27:53 +0000 https://github.com/whatwg/html/issues/1431