This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 27212 - HTML needs to explain heycam.github.io/webidl/#es-security per bug 27204 comment 7.
Summary: HTML needs to explain heycam.github.io/webidl/#es-security per bug 27204 comm...
Status: RESOLVED DUPLICATE of bug 22346
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL: https://html.spec.whatwg.org/#scripting
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-31 17:46 UTC by contributor
Modified: 2016-01-18 12:29 UTC (History)
5 users (show)

See Also:

Attachments

Description contributor 2014-10-31 17:46:42 UTC 
Specification: https://html.spec.whatwg.org/multipage/webappapis.html
Multipage: https://html.spec.whatwg.org/multipage/#scripting
Complete: https://html.spec.whatwg.org/#scripting
Referrer: https://html.spec.whatwg.org/multipage/browsers.html

Comment:
HTML needs to explain heycam.github.io/webidl/#es-security per bug 27204
comment 7.

Posted from: 46.127.136.57 by annevk@annevk.nl
User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Comment 1 Ian 'Hixie' Hickson 2014-11-01 06:20:20 UTC 
How does this differ from bug 20701 ?
Comment 2 Anne 2014-11-01 08:56:22 UTC 
I guess it might be a duplicate if Location/Window are the only objects we need http://heycam.github.io/webidl/#es-security for.
Comment 3 Boris Zbarsky 2014-11-03 05:30:03 UTC 
Modulo document.domain, they are.

When document.domain is involved, browsers disagree in irreconcilable ways on the behavior, unfortunately.  HTML specifies a behavior that's not acceptable (considered insecure) to some browsers, etc.  So let's not worry about that case.

For the Window/Location case, bug 20701 may or may not define the behavior in question here, which is the behavior when you take a function from your own origin and .call it on a cross-origin object this value.  The proposed spec at https://etherpad.mozilla.org/html5-cross-origin-objects doesn't define it, afaict.
Comment 4 Bobby Holley (:bholley) 2014-11-03 07:48:07 UTC 
(In reply to Boris Zbarsky from comment #3)
> For the Window/Location case, bug 20701 may or may not define the behavior
> in question here, which is the behavior when you take a function from your
> own origin and .call it on a cross-origin object this value.  The proposed
> spec at https://etherpad.mozilla.org/html5-cross-origin-objects doesn't
> define it, afaict.

Hm, I thought we did that somewhere, but I don't see it. Anyway, we should roll that into bug 20701 - the basic gist being "call/apply of a whitelisted method, getter, or setter should work, regardless of which object it was originally retrieved from".
Comment 5 Boris Zbarsky 2014-11-03 08:07:19 UTC 
Sure; the important part is that call/apply of a non-whitelisted method should _not_ work.
Comment 6 Anne 2016-01-18 12:29:52 UTC 

*** This bug has been marked as a duplicate of bug 22346 ***