[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
Boris Zbarsky
bzbarsky at MIT.EDU
Sat Dec 15 10:43:35 PST 2012
Ccing whatwg because that's where the whole "origin" thing is currently
defined.
Consider this testcase:
<iframe src="http://w3.org"></iframe><script>
window.onload = function () {
try {
var doc = document.querySelector("iframe").contentDocument;
var list = document.getElementsByTagName.call(doc, "*");
alert(list.item(0).textContent);
} catch (e) {
alert(e);
}
}</script>
This throws in Safari, Chrome, Firefox, and Opera, all on the
"getElementsByTagName.call" bit (except when loaded via file:// in
Safari, in which case it actually lets you read all data from random
website in the iframe).
But I see nothing in the specs that requires this behavior, or indeed
even allows it. The security bits currently in the html spec talk about
property access on cross-origin Document and Window, but in this case
there is no property access happening on them per se...
In any case, this needs to be defined somewhere.
-Boris
More information about the whatwg
mailing list