getSVGDocument() and content document use slightly different security checks #5094
Labels
security/privacy
There are security or privacy implications
Comments
annevk
added
needs tests
annevk
added a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 25, 2019
annevk
added a commit
that referenced
this issue
Nov 25, 2019
Additionally, make content document (also used by contentDocument) perform the same origin-domain comparison on the two documents involved. Tests: web-platform-tests/wpt#20432. Fixes #5094.
annevk
removed
the
needs tests
annevk
added a commit
that referenced
this issue
Dec 13, 2019
Additionally, make content document (also used by contentDocument) perform the same origin-domain comparison on the two documents involved rather than involve the current settings object. Tests: web-platform-tests/wpt#20432. Fixes #5094.
annevk
added a commit
to web-platform-tests/wpt
that referenced
this issue
Dec 13, 2019
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Dec 19, 2019
…, a=testonly Automatic update from web-platform-tests HTML: getSVGDocument() / contentDocument For whatwg/html#5094 and whatwg/html#5109. -- wpt-commits: b5f3eafc45e9e2aa2d502af321d0e8aa704ac5f9 wpt-pr: 20432
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this issue
Dec 20, 2019
…, a=testonly Automatic update from web-platform-tests HTML: getSVGDocument() / contentDocument For whatwg/html#5094 and whatwg/html#5109. -- wpt-commits: b5f3eafc45e9e2aa2d502af321d0e8aa704ac5f9 wpt-pr: 20432 UltraBlame original commit: 9d599fcfcf1f233f299313f4c2b28e2ce31aca43
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this issue
Dec 20, 2019
…, a=testonly Automatic update from web-platform-tests HTML: getSVGDocument() / contentDocument For whatwg/html#5094 and whatwg/html#5109. -- wpt-commits: b5f3eafc45e9e2aa2d502af321d0e8aa704ac5f9 wpt-pr: 20432 UltraBlame original commit: 9d599fcfcf1f233f299313f4c2b28e2ce31aca43
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this issue
Dec 20, 2019
…, a=testonly Automatic update from web-platform-tests HTML: getSVGDocument() / contentDocument For whatwg/html#5094 and whatwg/html#5109. -- wpt-commits: b5f3eafc45e9e2aa2d502af321d0e8aa704ac5f9 wpt-pr: 20432 UltraBlame original commit: 9d599fcfcf1f233f299313f4c2b28e2ce31aca43
lissyx
pushed a commit
to lissyx/mozilla-central
that referenced
this issue
Dec 20, 2019
…, a=testonly Automatic update from web-platform-tests HTML: getSVGDocument() / contentDocument For whatwg/html#5094 and whatwg/html#5109. -- wpt-commits: b5f3eafc45e9e2aa2d502af321d0e8aa704ac5f9 wpt-pr: 20432
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I wanted to refactor
getSVGDocument()to use the content document concept, but the former uses the origin of the container's node document and the latter uses the current settings object's origin.I suspect that implementations are better than this and have only one security check, but this needs to be tested. I think the difference can be tested by grabbing a reference and then changing the origin of the "current script" while not changing the origin of the container's node document or its nested browsing context.
The text was updated successfully, but these errors were encountered: