Define security around Window, WindowProxy, and Location properly #638
Conversation
|
Things I need to look into:
Things that made me ponder:
In any event, this is definitely ready for review. |
|
If tc39/ecma262#367 lands we need to figure out what to do with [[Enumerate]]. It's not entirely clear to me what we can do then. |
I've noticed this too. I think the build script thinks that empty spans are just meant to be using span to mark up a length of text, not auto-linking. That is why we should move to longer term. Will try to review Monday. |
To be clear, that’s an issue with wattsi, right? (Not something else in the |
| <p>The <dfn>number of child browsing contexts</dfn> is the number of <span data-x="child browsing | ||
| context">child browsing contexts</span> that are <span data-x="browsing context nested | ||
| through">nested through</span> elements that are <span data-x="in a document">in the | ||
| <code>Document</code></span> that is the <span>active document</span> of the <code>Window</code> |
There was a problem hiding this comment.
A Window does not have an "active document"; a browsing context does.
|
WindowProxy needs to use https://heycam.github.io/webidl/#dfn-named-property-visibility (or a variant thereof) where it implements cross-origin named properties. In particular I think we don't want to have |
annevk
force-pushed
the
cross-origin-objects
branch
from
52a6d48 to
442575a
Compare
|
We should probably test what UAs actually do with cross-origin named properties carefully. Defining how this should behave will be a bit tricky. For example, consider this testcase: In browsers this alerts "5" (at least in Chrome, Safari, and Firefox). What should happen on cross-origin access to the "foo" property on this window? Chrome and Firefox return the subframe, looks like. Safari returns undefined (or 5, depending on what the accessing thing actually is; yes, it leaks info cross-origin in some cases). Of course maybe Safari returns undefined for cross-origin named access in general? We really need some exhaustive tests. :( |
| @@ -2976,16 +2977,23 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d | |||
| <li>The <dfn data-noexport="" data-x="js-prod-Module" data-x-href="https://tc39.github.io/ecma262/#prod-Module"><i>Module</i></dfn> production</li> | |||
| <li>The <dfn data-noexport="" data-x="js-prod-Pattern" data-x-href="https://tc39.github.io/ecma262/#prod-Pattern"><i>Pattern</i></dfn> production</li> | |||
| <li>The <dfn data-noexport="" data-x="js-prod-Script" data-x-href="https://tc39.github.io/ecma262/#prod-Script"><i>Script</i></dfn> production</li> | |||
| <li><dfn data-noexport="" data-x-href="https://tc39.github.io/ecma262/#sec-property-descriptor-specification-type">PropertyDescriptor</dfn></li> | |||
There was a problem hiding this comment.
I've been curating this section, perhaps a bit obsessively. This should be "The [PropertyDescriptor] specification type"
There was a problem hiding this comment.
This is meant to refer to the tag literal descriptions of Property Descriptor records.
There was a problem hiding this comment.
Still would like to see this fixed. The fact that ES uses specification type names as tags when creating literals is just notation; the actual thing being referenced is the PropertyDescriptor specification type.
There was a problem hiding this comment.
Should it then say "Property Descriptor specification type"? But the references can use the literal PropertyDescriptor?
domenic
added
normative change
addition/proposal
annevk
force-pushed
the
cross-origin-objects
branch
from
573c619 to
ff6a7c1
Compare
|
@domenic I had a few more issues opened against ECMAScript that are now resolved (two PRs still pending). The biggest change is the removal of [[HasProperty]] overrides due to an upstream change. Since OrdinaryHasProperty will invoke [[GetOwnProperty]] now instead of OrdinaryGetOwnProperty. |
|
In another PR @domenic noted:
Pretty sure we're not using that terminology for the internal map we are introducing here. |
annevk
force-pushed
the
cross-origin-objects
branch
from
6f64898 to
7447524
Compare
| <li><p>Return false.</p></li> | ||
| </ol> | ||
|
|
||
| <h5 id="location-get-receiver">[[Get]] ( <var>P</var>, <var>Receiver</var> )</h5> |
domenic
added
the
do not merge yet
annevk
force-pushed
the
cross-origin-objects
branch
from
392492c to
918cd71
Compare
|
Is the "do not merge yet" label there because of tc39/ecma262#416? |
|
Yep |
domenic
removed
the
do not merge yet
|
Dependencies merged; land at will @annevk! |
This is a relative large change to the way Window, WindowProxy, and Location objects work, at least from a standards perspective. This should more closely match implementations and define all their relevant security details. A rough summary of the changes: * Window indexed getters have moved to WindowProxy. * WindowProxy is now a JavaScript exotic object and it handles all the security aspects for Window so Window can become an ordinary object. * Cross-origin named properties for Window are now exposed (though on WindowProxy). * Location is now an exotic object with all its internal methods overridden to handle the cross-origin security aspects. * Location no longer uses Unforgeable on the interface, allowing that to be removed from IDL. (It moved to all of its properties instead and the remaining details are defined through prose.) This should also address these bugs: * https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701 * https://www.w3.org/Bugs/Public/show_bug.cgi?id=21674 * https://www.w3.org/Bugs/Public/show_bug.cgi?id=22346 * https://www.w3.org/Bugs/Public/show_bug.cgi?id=27128 * https://www.w3.org/Bugs/Public/show_bug.cgi?id=27502
annevk
force-pushed
the
cross-origin-objects
branch
from
918cd71 to
acae3df
Compare
|
Rock n rollーVery cool to see this landing. |
|
This might deserve a blog post :D |
| <p class="warning">The <code>Location</code> exotic object is defined through a mishmash of IDL, | ||
| invocation of JavaScript internal methods post-creation, and overridden JavaScript internal | ||
| methods. Coupled with its scary security policy, please take extra care while implementing | ||
| this excrescence.</p> |
There was a problem hiding this comment.
Wanted to say this is such an incredible word choice that had me search for over an hour on how this was added. Now i can relieve myself.
This is a relative large change to the way Window, WindowProxy, and
Location objects work, at least from a standards’ perspective. This
should more closely match implementations and define all the relevant
details.
A rough summary of the changes:
security aspects for Window so Window can become an ordinary object.
WindowProxy). This addresses Child browsing context names leak across origins #544 and
https://www.w3.org/Bugs/Public/show_bug.cgi?id=21674 which that PR was
intended to replace.
overridden to handle the cross-origin security aspects.
to be removed from IDL. (It moved to all of its properties instead and
the remaining details are defined through prose.)
This should also address these bugs: