| 03:01 | <sideshowbarker> | smaug: https://phabricator.services.mozilla.com/D286825 |
| 08:48 | <zcorpan> | annevk: ping https://github.com/whatwg/html/pull/11560 |
| 11:40 | <smaug> | What was the reason to use 'any' for https://html.spec.whatwg.org/#dom-origin-from ? |
| 11:51 | <annevk> | There was no clean way to do it some other way iirc. |
| 13:31 | <smaug> | It is just that this pseudo-union handling is inconsistent with webidl unions when it comes to string handling. Webidl goes through toString(). I can't immediately guess if this difference is on purpose or is it a spec bug. |
| 13:33 | <smaug> | Mike West happen to recall? |
| 13:40 | <annevk> | smaug: I'm pretty sure that wasn't explicitly considered, though it had come to mind (to me). https://github.com/mikewest/origin-api/issues/8 has some of the background for this API shape. |
| 13:41 | <annevk> | It seems a bit more forward-compatible to not stringify, but I can see the consistency argument that it should anyway. |
| 13:50 | <smaug> | https://github.com/whatwg/html/issues/12238 |
| 15:07 | <zcorpan> | smaug: what would happen for I guess if |
| 15:07 | <smaug> | Is this security sensitive ? |
| 15:08 | <smaug> | I'd say it is often inconsistencies which cause bugs, including security bugs. |
| 15:10 | <zcorpan> | Yes origin checks for incoming messages are security sensitive |
| 15:12 | <smaug> | those checks are yes, but is creating the object? The security issue would be to let one to add toString somewhere. |
| 15:20 | <zcorpan> | It could be valueOf: "foo" also. Maybe obj comes from JSON or so. Still you could argue that the security issue is not in Origin.from stringifying the argument... Just trying to consider if not stringifying here means fewer sec bugs for web apps in practice |
| 15:29 | <smaug> | Right, but I'd expect then all sorts of other possible security issues too. Like using scriptElement.textContent = someObject_with_toString. |
| 15:33 | <zcorpan> | Yes. There are many tricks to get XSS. For script elements we have CSP, TrustedTypes... |
| 15:35 | <smaug> | Right, and if you have some sneaky toString around, that must have gotten through CSP and TrustedTypes somehow |
| 15:44 | <zcorpan> | The point is that current code is something like If it's changed to |
| 15:48 | <smaug> | If attacker can control those, I assume they can control already everything. |
| 16:02 | <smaug> | zcorpan: and e wouldn't be stringified, since it is a platform object which has the relevant operation |
| 16:04 | <zcorpan> | smaug: true. It'd need to be some other object that is stringified. Hard to make up a realistic hypothetical example :) |
| 16:32 | <keithamus> | https://github.com/mikepretoruis41-create would an admin kindly block this spambot from WHATWG org please |
| 16:33 | <sfarre> | annevk I got some rubber stamping for you to do here: https://github.com/whatwg/fullscreen/pull/255 |
| 16:36 | <zcorpan> | Done, thx |
| 16:58 | <annevk> | sfarre: the princess is in another castle |
| 16:59 | <sfarre> | alright, so it's one that is changed in place and that'll spread then? |
| 17:22 | <annevk> | Unfortunately the spreading is (somewhat) manual, but yes. |
| 17:27 | <sfarre> | alright then :) |
| 18:15 | <annevk> | zcorpan: did another pass, if you're able to work on it this week that would help so I don't have to page it all back in each time |