[html5] r836 - /

Mon May 21 22:56:55 PDT 2007

Author: ianh
Date: 2007-05-21 22:56:54 -0700 (Mon, 21 May 2007)
New Revision: 836

Modified:
   index
   source
Log:
[] (0) Security fix: document.location must not return document.defaultView.location, since the latter might be for another document, and would reveal the user's currently loaded page. Instead, make document.location return the Location object for that document.

Modified: index
===================================================================

--- index	2007-05-22 05:39:01 UTC (rev 835)
+++ index	2007-05-22 05:56:54 UTC (rev 836)
@@ -2338,7 +2338,7 @@
 
   <pre class=idl>interface <dfn id=htmldocument>HTMLDocument</dfn> {
   // <a href="#resource0">Resource metadata management</a>
-  readonly attribute Location <a href="#location1" title=dom-document-location>location</a>;
+  readonly attribute Location <a href="#location0" title=dom-document-location>location</a>;
   readonly attribute DOMString <a href="#url" title=dom-document-URL>URL</a>;
            attribute DOMString <a href="#domain" title=dom-document-domain>domain</a>;
   readonly attribute DOMString <a href="#referrer" title=dom-document-referrer>referrer</a>;
@@ -22820,12 +22820,12 @@
    document</a>'s origin, with the following exceptions:
 
   <ul>
-   <li>The <code title=dom-location><a href="#location0">location</a></code>
+   <li>The <code title=dom-location><a href="#location1">location</a></code>
     object
   </ul>
 
   <p>User agents must not allow scripts to override the <code
-   title=dom-location><a href="#location0">location</a></code> object's
+   title=dom-location><a href="#location1">location</a></code> object's
    setter.
 
   <h4 id=constructors><span class=secno>4.2.2. </span>Constructors</h4>
@@ -23284,19 +23284,18 @@
    history is associated with a unique instance of a <code><a
    href="#location2">Location</a></code> object.
 
-  <p>The <dfn id=location0 title=dom-location><code>location</code></dfn>
+  <p>The <dfn id=location0
+   title=dom-document-location><code>location</code></dfn> attribute of the
+   <code><a href="#htmldocument">HTMLDocument</a></code> interface must
+   return the <code><a href="#location2">Location</a></code> object for that
+   <code>Document</code> object.
+
+  <p>The <dfn id=location1 title=dom-location><code>location</code></dfn>
    attribute of the <code><a href="#window">Window</a></code> interface must
    return the <code><a href="#location2">Location</a></code> object for that
    <code><a href="#window">Window</a></code> object's <a
    href="#active">active document</a>.
 
-  <p>For historical reasons, the <dfn id=location1
-   title=dom-document-location><code>location</code></dfn> attribute of the
-   <code><a href="#htmldocument">HTMLDocument</a></code> interface must
-   return the same object as the <code title=dom-location><a
-   href="#location0">location</a></code> attribute on its associated <code><a
-   href="#window">Window</a></code> object.
-
   <p><code><a href="#location2">Location</a></code> objects provide a
    representation of the URI of their document, and allow the <a
    href="#current0">current entry</a> of the <a href="#browsing0">browsing

Modified: source
===================================================================
--- source	2007-05-22 05:39:01 UTC (rev 835)
+++ source	2007-05-22 05:56:54 UTC (rev 836)
@@ -20978,17 +20978,17 @@
   history is associated with a unique instance of a
   <code>Location</code> object.</p>
 
+  <p>The <dfn
+  title="dom-document-location"><code>location</code></dfn> attribute
+  of the <code>HTMLDocument</code> interface must return the
+  <code>Location</code> object for that <code>Document</code>
+  object.</p>
+
   <p>The <dfn title="dom-location"><code>location</code></dfn>
   attribute of the <code>Window</code> interface must return the
   <code>Location</code> object for that <code>Window</code> object's
   <span>active document</span>.</p>
 
-  <p>For historical reasons, the <dfn
-  title="dom-document-location"><code>location</code></dfn> attribute
-  of the <code>HTMLDocument</code> interface must return the same
-  object as the <code title="dom-location">location</code> attribute
-  on its associated <code>Window</code> object.</p>
-
   <p><code>Location</code> objects provide a representation of the URI
   of their document, and allow the <span>current entry</span> of the
   <span>browsing context</span>'s session history to be changed, by


