Realm, schmealm!

ian at ian at
Thu Aug 1 10:32:20 PDT 2013

On Thu, 1 Aug 2013, Boris Zbarsky wrote:
> On 7/31/13 10:35 PM, Mark S. Miller wrote:
> > This seems like a bad bug in the html5 spec. Is there any public 
> > discussion explaining why the currently speced behavior should be 
> > considered acceptable?
> "It's simple and implemented by the majority of UAs" is the main reason 
> as far as I can tell.  Ian is not going to spec something people are 
> unwilling to implement, because that would make the spec pretty 
> useless... and I can definitely understand his position.  The best way 
> to make progress here is to get UAs fixed.

Pretty much.

Personally I'd like to drop document.domain entirely, but that's not going 
to fly any time soon.

Note that it's not a bug, per se. There's no direct security benefit to 
cutting ties between two documents that used to be connected when you 
apply document.domain to disconnect them. It provides a defense in depth 
for the (likely, as it turns out) case where there's some other bug that 
means that two cross-origin pages can accidentally end up being considered 
same-origin for some reason and get hold of each other's objects, but if 
you assume that browser is implemented perfectly per spec (modulo some 
issues we're currently working to fix), you're not going to introduce any 
vulnerabilities by not doing this.

document.domain and the effective script origin concept introduces all 
kinds of problems unrelated to security that it would be nice to get rid 
of. For example, they limit to what extent you can isolate pages into 
different processes, because you have to worry about the full set of 
origins that could ever become related by document.domain (the spec has 
the term "similar-origin" to handle this, in fact).

Also, note that the Gecko approach to this isn't the only way to approach 
this defense-in-depth problem. Another way would be to do process 
isolation at the browsing context level (i.e. make it possible for iframes 
to be in their own process), and then have one process per group of 
similar-origin browsing contexts. That actually gets you closer to what 
the spec says (closer to the legacy model) than the Gecko approach, while 
still having a pretty solid defense against accidental leakage of 
cross-origin objects (arguably a stronger model, since you can actually 
prevent the entire process from having access to the data of other origins 
at the OS level, rather than just enforcing it at the JS level).

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the es-discuss mailing list