Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only run "perform a security check" for Window and Location objects #5141

Merged
merged 1 commit into from
Dec 11, 2019
Merged

Only run "perform a security check" for Window and Location objects #5141

merged 1 commit into from
Dec 11, 2019

Conversation

annevk
Copy link
Member

@annevk annevk commented Dec 10, 2019
edited by pr-preview bot
Loading

These days all implementations only have security checks on a couple of objects. Firefox used to have web-observable cross-origin object wrappers, but that's no longer a thing.

Tests: html/browsers/origin/cross-origin-objects/cross-origin-objects.html and web-platform-tests/wpt#20432.

(Now that this is simplified, there are other equivalent-in-behavior setups imaginable here, but I don't think they're worth the effort unless there are additional reasons to pursue such a refactoring.)

/browsers.html ( diff )

@annevk
Only run "perform a security check" for Window and Location objects
aada7f0 
These days all implementations only have security checks on a couple of objects. Firefox used to have cross-origin object wrapper, but those are no longer web observable.

Tests: html/browsers/origin/cross-origin-objects/cross-origin-objects.html and web-platform-tests/wpt#20432.
domenic
domenic approved these changes Dec 10, 2019
View reviewed changes
Copy link
Member

@domenic domenic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little confused what the previously-expected behavior was. I guess it was the Firefox-only behavior?

It would be kind of nice to test the removal of that behavior in a simple test disconnected from the getSVGDocument work, but I guess that's fine too.

@annevk annevk merged commit e46fc2f into master Dec 11, 2019
@annevk annevk deleted the annevk/perform-a-security-check branch December 11, 2019 10:48
@annevk
Copy link
Member Author

annevk commented Dec 11, 2019

I don't think what we had there before truly matched anyone, as IDL's "perform a security check" does not guard all aspects of manipulating an object (for that you need full proxies, such as what we have defined for Location and WindowProxy, and that's what Firefox had for all cross-origin objects, as I understand it).

@siusin siusin mentioned this pull request Apr 13, 2020
Open
8 tasks
@annevk annevk mentioned this pull request Jul 11, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@domenic domenic domenic approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@annevk @domenic