Remove the risk of document.domain.
#10
Comments
|
Copying @bholley since he's been wanting to do something like this. |
|
This sounds great! Years ago Hixie, abarth and I agreed on a theoretical goal of eventually deprecating document.domain, and this sounds like a great way to make some meaningful progress in that direction. |
|
So, @hillbrad let me know that |
We can't require this behavior, as usage is far too high (and Facebook requires it in their SDK. Grrrr.). User agents are encouraged to help developers migrate away from this API, however, and can hopefully enforce this optional requirement at some point in the future. #10
|
That seems like a rather terrible cop out. We shouldn't have optional features like that if they cannot actually be implemented. |
|
I disagree. The spec shows the future direction we'd like to take things, and gives browsers the freedom to experiment in the same way that the mixed content spec says something like "Browser, you can totally block all mixed content if you feel like it, and we'll revise the spec based upon the way things go." |
|
Okay. Still disappointed, but more in Facebook I guess. |
|
So couldn't we still do this for new features that Facebook has not yet adopted or have not been implemented yet? Or do we want to effectively endorse their development practices? |
|
@hillbrad Can you elaborate on why Facebook needs document.domain here, and how feasible it is to move to something better? |
|
I'm not arguing to remove it from the roadmap. I'd like to get rid of it, So basically, this is old code, it works, and there's simply been very -Brad On Tue, Feb 9, 2016 at 12:29 PM Bobby Holley [email protected]
|
|
Ok. Presumably the browsers that can't do postMessage also can't use any of the new features we're talking about gating here. So it seems fine to let them continue using document.domain, and add a postMessage path to take advantage of the newer stuff. I think we should do this in the near-term, before any other big sites start using these new features in tandem with document.domain. I think this is pretty important to do, and Jochen agreed last we spoke. I'm guessing Facebook can fix their stuff faster than browser vendors anyway, but I'm happy to delay until some explicit date as long as we get a clear timeline. |
|
We should just identify some features and start doing it for those, e.g., https://storage.spec.whatwg.org/ is not deployed yet. That could be our guinea pig. |
|
Hrm. shrug I can get behind doing this for new features. I don't see a clear way to do so without forking the definition of "secure context", however, which I'd prefer to avoid doing. That is, Chrome is busy tying old APIs to secure contexts. Geolocation, Appcache, getUserMedia, etc. I worry about retroactively pulling the rug out from under developers (again), which is why the usage of I'll add some metrics to Chrome to see how much of the |
|
It would be acceptable to me to have "secure context" and "deprecates document.domain" as orthogonal bits. I'm a little bit skeptical about using "secure context" for legacy APIs if the plan for JavaScript/IDL is still to not expose those APIs from insecure contexts. So if that is the plan I think there too we might have orthogonal bits. |
|
I'm willing to setup some specification infrastructure for a "deprecates document.domain" handle new methods could use. We could even use it for new methods we'd expose outside of secure contexts. |
|
+1 to starting with new APIs if possible. Provides a good incentive to |
|
Sure. Once we have a spec model and buy-in from other vendors, I'm happy to add the infrastructure to implement this on the Gecko side. |
|
So the way to do this is to set a flag if document.domain is set and to set a flag if the "new thing" is used and have both sides check whether the opposite flag is set before they're allowed to be used. However, what should be the scope of these flags. Is just document enough? |
|
s/the "new thing"/any "new thing"/, but yes. Putting it on the document should be fine. |
|
The main problem I see that this would still make it easy to circumvent this e.g., by using an |
|
The way that the spec is currently written, if implementations act on the document.domain "MAY" section they would need to iterate through the entire descendant-and-auxiliary browser context graph, updating the secure context status of all history entries for all of those browser contexts. Walking the descendant browser context graph is doable, but if implementations don't keep a list of a Window's auxiliary browser contexts that's a bit more annoying to implement. Conversely, if [SecureContext] API is used, implementations would need to walk the ancestor-and-opener browser context graph marking document.domain as throwing. Any given Document in a popup may have multiple documents that can access it and implementations may well only keep track of one of those as the document's opener and not currently have access to the others. Given the above, regardless of whether we split out document.domain status into a new attribute separate from [SecureContext], I'd be quite keen to stop taking account of document.domain changes outside top level browsing contexts (i.e. not follow the openers). Whether this attribute should only pay attention to document.domain changes to the current document I'm less sure about. Given the desire to restrict document.domain use with both shipped and not yet shipped API, I'd definitely be in favor of creating a new attribute separate from [SecureContext]. That avoids conflating unrelated concepts into [SecureContext] and gives us more flexibility to maximize the number of APIs we can ban from use with document.domain changes. |
|
I'm generally happy to 80/20 this one. People are using document.domain out of laziness, so they're unlikely to try too hard to work around whatever we put in place if doing so involves opening popups and restructuring the frame hierarchy. I think we should prevent simple subframe tricks if we can, but not worry about much else. |
|
whatwg/html#829 has a concrete proposal for how we could do this. It uses the furthest same-origin browsing context as keeper of state for document.domain and new features. Curious to hear what everyone thinks. |
We'd still like to get rid of document.domain, but rather than conflating that and secure contexts, that work has been split out into: whatwg/html#829 See also the discussion at: w3c#10
|
I think we can close this issue and continue any discussion in whatwg/html#829 |
|
Yeah. This won't be in Secure Contexts. |
Based on discussion in the F2F, we'd like to prevent secure contexts from pretending to be an origin other than it's actual origin. To that end, we'd like to try to:
document.domainand[SecureContext]mutually exclusive: touching one makes the other throw.document.domainwill throw for a Service Worker-controlled document.document.domainusage for TLS-delivered pages to see if we can drop it.The text was updated successfully, but these errors were encountered: