This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
The spec currently says: > The dialogArguments IDL attribute, on getting, must check whether its > browsing context's active document's origin is the same as the dialog > arguments' origin. If it is, then the browsing context's dialog arguments > must be returned unchanged. Otherwise, if the dialog arguments are an > object, then the empty string must be returned, and if the dialog arguments > are not an object, then the stringification of the dialog arguments must > be returned. I wrote a testcase [1] to test a cross-origin and same-origin showModalDialog with |1| as the argument. In Firefox, Chrome, and IE9, the value is undefined cross-origin (Safari and Opera don't appear to implement showModalDialog). When trying to change Gecko's behavior to match the spec, I broke our test coverage for [2], which strongly suggests that we should keep our current behavior. [1] http://people.mozilla.com/~bholley/testcases/xomodal.html [2] https://bugzilla.mozilla.org/show_bug.cgi?id=504862
I augmented the test to check return values as well. It appears that a similar origin check is applied to window.returnValue, so looks like we'll have to fix this there as well. :-(
What's the security problem of exposing strings? Adam seemed ok with it in 2009: http://lists.w3.org/Archives/Public/public-whatwg-archive/2009Jun/0336.html Did something change? Or are strings ok, it's just that nobody implements it and we'd rather not bother making showModalDialog() better?
(In reply to comment #2) > What's the security problem of exposing strings? Per mozilla bug 504862, it sounds like the concern is more about protecting the openee than the opener. That is to say, if someone wrote a page assuming that dialogArguments came from a trusted source, they those pages could potentially be exploited. > Or are strings ok, it's just that nobody implements it and we'd rather not > bother making showModalDialog() better? I recently reimplemented all our showModalDialog stuff, and I actually tried to follow the spec on this issue and use strings (it made the implementation simpler as well). But I ran afoul of our test coverage for [2], and I figured that it would probably take more than a unilateral decision on my part to determine that this is now ok.
Hm actually the threat to the openee is an interesting point. Even if it's just strings, they could be parsing them in some special way and get screwed. Ok. Let me know if I missed anything important!
Checked in as WHATWG revision r7975. Check-in comment: Make showModalDialog()'s dialogArguments and returnValue only be useful same-origin, to avoid origins attacking each other http://html5.org/tools/web-apps-tracker?from=7974&to=7975