[html5] r7514 - [giow] (3) Make Location be protected from cross-origin access like Window. Affe [...]

whatwg at whatwg.org whatwg at whatwg.org
Mon Nov 19 17:14:36 PST 2012


Author: ianh
Date: 2012-11-19 17:14:35 -0800 (Mon, 19 Nov 2012)
New Revision: 7514

Modified:
   complete.html
   index
   source
Log:
[giow] (3) Make Location be protected from cross-origin access like Window.
Affected topics: DOM APIs, Security

Modified: complete.html
===================================================================
--- complete.html	2012-11-20 00:15:05 UTC (rev 7513)
+++ complete.html	2012-11-20 01:14:35 UTC (rev 7514)
@@ -70730,7 +70730,21 @@
    <a href=#allowed-to-navigate>allowed to navigate</a> the browsing context with which
    the <code><a href=#location>Location</a></code> object is associated
 
-  </ul></div>
+  </ul><p>When a script whose <a href=#effective-script-origin>effective script origin</a> is not the same as the
+  <code><a href=#location>Location</a></code> object's associated <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script
+  origin</a> attempts to access that <code><a href=#location>Location</a></code> object's methods or attributes, the
+  user agent must act as if any changes to the <code><a href=#location>Location</a></code> object's properties, getters,
+  setters, etc, were not present.</p>
+
+  <p>For members that return objects (including function objects), each distinct <a href=#effective-script-origin>effective
+  script origin</a> that is not the same as the <code><a href=#location>Location</a></code> object's
+  <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a> must be provided with a separate set
+  of objects. These objects must have the prototype chain appropriate for the script for which the
+  objects are created (not those that would be appropriate for scripts whose <a href="#script's-global-object">script's global
+  object</a> is the <code><a href=#location>Location</a></code> object's <code><a href=#document>Document</a></code>'s <code><a href=#window>Window</a></code>
+  object).</p>
+
+  </div>
 <!--REMOVE-TOPIC:Security-->
 
 

Modified: index
===================================================================
--- index	2012-11-20 00:15:05 UTC (rev 7513)
+++ index	2012-11-20 01:14:35 UTC (rev 7514)
@@ -70730,7 +70730,21 @@
    <a href=#allowed-to-navigate>allowed to navigate</a> the browsing context with which
    the <code><a href=#location>Location</a></code> object is associated
 
-  </ul></div>
+  </ul><p>When a script whose <a href=#effective-script-origin>effective script origin</a> is not the same as the
+  <code><a href=#location>Location</a></code> object's associated <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script
+  origin</a> attempts to access that <code><a href=#location>Location</a></code> object's methods or attributes, the
+  user agent must act as if any changes to the <code><a href=#location>Location</a></code> object's properties, getters,
+  setters, etc, were not present.</p>
+
+  <p>For members that return objects (including function objects), each distinct <a href=#effective-script-origin>effective
+  script origin</a> that is not the same as the <code><a href=#location>Location</a></code> object's
+  <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a> must be provided with a separate set
+  of objects. These objects must have the prototype chain appropriate for the script for which the
+  objects are created (not those that would be appropriate for scripts whose <a href="#script's-global-object">script's global
+  object</a> is the <code><a href=#location>Location</a></code> object's <code><a href=#document>Document</a></code>'s <code><a href=#window>Window</a></code>
+  object).</p>
+
+  </div>
 <!--REMOVE-TOPIC:Security-->
 
 

Modified: source
===================================================================
--- source	2012-11-20 00:15:05 UTC (rev 7513)
+++ source	2012-11-20 01:14:35 UTC (rev 7514)
@@ -83005,6 +83005,20 @@
 
   </ul>
 
+  <p>When a script whose <span>effective script origin</span> is not the same as the
+  <code>Location</code> object's associated <code>Document</code>'s <span>effective script
+  origin</span> attempts to access that <code>Location</code> object's methods or attributes, the
+  user agent must act as if any changes to the <code>Location</code> object's properties, getters,
+  setters, etc, were not present.</p>
+
+  <p>For members that return objects (including function objects), each distinct <span>effective
+  script origin</span> that is not the same as the <code>Location</code> object's
+  <code>Document</code>'s <span>effective script origin</span> must be provided with a separate set
+  of objects. These objects must have the prototype chain appropriate for the script for which the
+  objects are created (not those that would be appropriate for scripts whose <span>script's global
+  object</span> is the <code>Location</code> object's <code>Document</code>'s <code>Window</code>
+  object).</p>
+
   </div>
 <!--REMOVE-TOPIC:Security-->
 




More information about the Commit-Watchers mailing list