ian at hixie.ch
ian at hixie.ch
Thu Aug 1 10:32:20 PDT 2013
On Thu, 1 Aug 2013, Boris Zbarsky wrote:
> On 7/31/13 10:35 PM, Mark S. Miller wrote:
> > This seems like a bad bug in the html5 spec. Is there any public
> > discussion explaining why the currently speced behavior should be
> > considered acceptable?
> "It's simple and implemented by the majority of UAs" is the main reason
> as far as I can tell. Ian is not going to spec something people are
> unwilling to implement, because that would make the spec pretty
> useless... and I can definitely understand his position. The best way
> to make progress here is to get UAs fixed.
Personally I'd like to drop document.domain entirely, but that's not going
to fly any time soon.
Note that it's not a bug, per se. There's no direct security benefit to
cutting ties between two documents that used to be connected when you
apply document.domain to disconnect them. It provides a defense in depth
for the (likely, as it turns out) case where there's some other bug that
means that two cross-origin pages can accidentally end up being considered
same-origin for some reason and get hold of each other's objects, but if
you assume that browser is implemented perfectly per spec (modulo some
issues we're currently working to fix), you're not going to introduce any
vulnerabilities by not doing this.
document.domain and the effective script origin concept introduces all
kinds of problems unrelated to security that it would be nice to get rid
of. For example, they limit to what extent you can isolate pages into
different processes, because you have to worry about the full set of
origins that could ever become related by document.domain (the spec has
the term "similar-origin" to handle this, in fact).
Also, note that the Gecko approach to this isn't the only way to approach
this defense-in-depth problem. Another way would be to do process
isolation at the browsing context level (i.e. make it possible for iframes
to be in their own process), and then have one process per group of
similar-origin browsing contexts. That actually gets you closer to what
the spec says (closer to the legacy model) than the Gecko approach, while
still having a pretty solid defense against accidental leakage of
cross-origin objects (arguably a stronger model, since you can actually
prevent the entire process from having access to the data of other origins
at the OS level, rather than just enforcing it at the JS level).
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the es-discuss