Closed Bug 925465 Opened 11 years ago Closed 6 years ago

Drop support for named and indexed access on cross-origin windows referencing via sandboxed iframes windows

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: bruant.d, Unassigned)

References

Details

Rising from the ashes of bug 916939.
Maybe sandboxed iframes are recent enough to have a saner relationship to their parent?

This would remove a sync communication channel between a parent and an iframe, allowing thread/process/task isolation of iframes.
Define "acquired"?
(In reply to Boris Zbarsky [:bz] (Vacation Oct 12 - Oct 27) from comment #1)
> Define "acquired"?
Yeah sorry, something like "got a reference to". In code:

parent context:
<iframe id="foo" sandbox="allow-script">
<script>
var win = document.getElementById('foo').contentWindow; // that's what I call "acquire"
// since win references a sandboxed iframe window, named and indexed access could be
// decided not to work anymore
</script>

... I realize this certainly requires some sort of WindowProxy2. I should probably take this to the WHATWG first, sorry for the noise.
Summary: Drop support for named and indexed access on cross-origin windows acquired from sandboxed iframes → Drop support for named and indexed access on cross-origin windows referencing via sandboxed iframes windows
> since win references a sandboxed iframe window

Hmm.  I guess sandboxing propagates to subframes too...  Bobby, thoughts?  This might be reasonable.
Flags: needinfo?(bobbyholley+bmo)
We could easily implement this in our security wrappers if we wanted to. I'm happy to use Gecko as a guinea pig if we need to test the web-compatibility of this change. I suspect it should be ok.

(In reply to David Bruant from comment #2)
> ... I realize this certainly requires some sort of WindowProxy2. I should

Not necessarily. The current spec language for cross-origin object access is inaccurate, and Hixie and I are actively sorting out what this stuff should look like. See [1].

> probably take this to the WHATWG first, sorry for the noise.

Given the above, you might have better luck waiting until [1] is sorted out.

[1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701
Flags: needinfo?(bobbyholley+bmo)
Blocks: 925718
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
I suspect at this point this is just wontfix, given the deployment status of sandboxing.  :(
Resolution: INACTIVE → WONTFIX
You need to log in before you can comment on or make changes to this bug.