Skip to content
This repository has been archived by the owner on Jun 7, 2018. It is now read-only.

DocumentTimeline constructor is probably a security hole #183

Closed
bzbarsky opened this issue Mar 25, 2017 · 4 comments
Closed

DocumentTimeline constructor is probably a security hole #183

bzbarsky opened this issue Mar 25, 2017 · 4 comments

Comments

@bzbarsky
Copy link

https://w3c.github.io/web-animations/#dom-documenttimeline-documenttimeline says:

Creates a new DocumentTimeline object associated with the active document of the current browsing context.

but the active document of any browsing context need not be same-origin with the code calling the constructor, nor same origin-domain, or same anything, really.

I really doubt any browsers implementing this API do anything remotely involving getting the active document of any browsing context here. I know for a fact Firefox does not. It uses the document of the "current global", as defined at https://html.spec.whatwg.org/multipage/webappapis.html#current-global-object, which is guaranteed to be a Window in this case.
@bzbarsky
Copy link
Author

Oh, and I should note that it's not even clear what "current browsing context" means. But fixing this to not use "active document" will likely make that problem go away too.

birtles added a commit that referenced this issue Apr 7, 2017
@birtles
Fix references to current browsing context and active document
6d2ddc9 
As described in #183, the active document of a browsing context need not
be same-origin with the code calling the constructors/methods. This
patch fixes this to refer instead to the document of the current global
object.
@birtles
Copy link
Contributor

birtles commented Apr 7, 2017

Oops, I actually meant to push 6d2ddc9 to a branch and get @bzbarsky to review. Hopefully it is ok.

webanimbot pushed a commit that referenced this issue Apr 7, 2017
@birtles
Fix references to current browsing context and active document
e6de67f 
As described in #183, the active document of a browsing context need not
be same-origin with the code calling the constructors/methods. This
patch fixes this to refer instead to the document of the current global
object.

Generated from:

commit 6d2ddc9
Author: Brian Birtles <birtles@gmail.com>
Date:   Fri Apr 7 16:36:34 2017 +0900

    Fix references to current browsing context and active document

    As described in #183, the active document of a browsing context need not
    be same-origin with the code calling the constructors/methods. This
    patch fixes this to refer instead to the document of the current global
    object.
@bzbarsky
Copy link
Author

bzbarsky commented Apr 7, 2017

Yes, that looks reasonable.

@birtles
Copy link
Contributor

birtles commented Apr 7, 2017

Great, thanks Boris!

@birtles birtles closed this as completed Apr 7, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@birtles @bzbarsky