This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html Multipage: http://www.whatwg.org/C#security-3 Complete: http://www.whatwg.org/c#security-3 Comment: Security section of Location spec is all broken now Posted from: 173.48.81.109 by bzbarsky@mit.edu User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/19.0 Firefox/19.0
Given http://html5.org/r/7513 doing security checks based on the associtated document just doesn't work. The security section needs to be changed to reflect reality...
For example, reading .href on the location reads the URI of the "relevant Document". But the security checks are all done against the "associated Document", which is a totally different document, and might not be same-origin with the "relevant document". This trivially allows cross-origin location reads if actually implemented.
Oh, right. The idea here is that you can access your own properties (e.g. to implement a shim for new features), but that you can't access the attributes that the spec defines if the URL is one you shouldn't be able to read. But ok, forget the shimmed properties while the document is cross-origin, we'll just block those. The real ones would be blocked anyway.
Checked in as WHATWG revision r7516. Check-in comment: Location's security model is actually different than Window's. http://html5.org/tools/web-apps-tracker?from=7515&to=7516