This repository has been archived by the owner on Jun 7, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 33
DocumentTimeline constructor is probably a security hole #183
Comments
Oh, and I should note that it's not even clear what "current browsing context" means. But fixing this to not use "active document" will likely make that problem go away too. |
birtles
added a commit
that referenced
this issue
Apr 7, 2017
As described in #183, the active document of a browsing context need not be same-origin with the code calling the constructors/methods. This patch fixes this to refer instead to the document of the current global object.
webanimbot
pushed a commit
that referenced
this issue
Apr 7, 2017
As described in #183, the active document of a browsing context need not be same-origin with the code calling the constructors/methods. This patch fixes this to refer instead to the document of the current global object. Generated from: commit 6d2ddc9 Author: Brian Birtles <birtles@gmail.com> Date: Fri Apr 7 16:36:34 2017 +0900 Fix references to current browsing context and active document As described in #183, the active document of a browsing context need not be same-origin with the code calling the constructors/methods. This patch fixes this to refer instead to the document of the current global object.
Yes, that looks reasonable. |
Great, thanks Boris! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
https://w3c.github.io/web-animations/#dom-documenttimeline-documenttimeline says:
but the active document of any browsing context need not be same-origin with the code calling the constructor, nor same origin-domain, or same anything, really.
I really doubt any browsers implementing this API do anything remotely involving getting the active document of any browsing context here. I know for a fact Firefox does not. It uses the document of the "current global", as defined at https://html.spec.whatwg.org/multipage/webappapis.html#current-global-object, which is guaranteed to be a Window in this case.
The text was updated successfully, but these errors were encountered: