[html5] r7514 - [giow] (3) Make Location be protected from cross-origin access like Window. Affe [...]
whatwg at whatwg.org
whatwg at whatwg.org
Mon Nov 19 17:14:36 PST 2012
Author: ianh
Date: 2012-11-19 17:14:35 -0800 (Mon, 19 Nov 2012)
New Revision: 7514
Modified:
complete.html
index
source
Log:
[giow] (3) Make Location be protected from cross-origin access like Window.
Affected topics: DOM APIs, Security
Modified: complete.html
===================================================================
--- complete.html 2012-11-20 00:15:05 UTC (rev 7513)
+++ complete.html 2012-11-20 01:14:35 UTC (rev 7514)
@@ -70730,7 +70730,21 @@
<a href=#allowed-to-navigate>allowed to navigate</a> the browsing context with which
the <code><a href=#location>Location</a></code> object is associated
- </ul></div>
+ </ul><p>When a script whose <a href=#effective-script-origin>effective script origin</a> is not the same as the
+ <code><a href=#location>Location</a></code> object's associated <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script
+ origin</a> attempts to access that <code><a href=#location>Location</a></code> object's methods or attributes, the
+ user agent must act as if any changes to the <code><a href=#location>Location</a></code> object's properties, getters,
+ setters, etc, were not present.</p>
+
+ <p>For members that return objects (including function objects), each distinct <a href=#effective-script-origin>effective
+ script origin</a> that is not the same as the <code><a href=#location>Location</a></code> object's
+ <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a> must be provided with a separate set
+ of objects. These objects must have the prototype chain appropriate for the script for which the
+ objects are created (not those that would be appropriate for scripts whose <a href="#script's-global-object">script's global
+ object</a> is the <code><a href=#location>Location</a></code> object's <code><a href=#document>Document</a></code>'s <code><a href=#window>Window</a></code>
+ object).</p>
+
+ </div>
<!--REMOVE-TOPIC:Security-->
Modified: index
===================================================================
--- index 2012-11-20 00:15:05 UTC (rev 7513)
+++ index 2012-11-20 01:14:35 UTC (rev 7514)
@@ -70730,7 +70730,21 @@
<a href=#allowed-to-navigate>allowed to navigate</a> the browsing context with which
the <code><a href=#location>Location</a></code> object is associated
- </ul></div>
+ </ul><p>When a script whose <a href=#effective-script-origin>effective script origin</a> is not the same as the
+ <code><a href=#location>Location</a></code> object's associated <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script
+ origin</a> attempts to access that <code><a href=#location>Location</a></code> object's methods or attributes, the
+ user agent must act as if any changes to the <code><a href=#location>Location</a></code> object's properties, getters,
+ setters, etc, were not present.</p>
+
+ <p>For members that return objects (including function objects), each distinct <a href=#effective-script-origin>effective
+ script origin</a> that is not the same as the <code><a href=#location>Location</a></code> object's
+ <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a> must be provided with a separate set
+ of objects. These objects must have the prototype chain appropriate for the script for which the
+ objects are created (not those that would be appropriate for scripts whose <a href="#script's-global-object">script's global
+ object</a> is the <code><a href=#location>Location</a></code> object's <code><a href=#document>Document</a></code>'s <code><a href=#window>Window</a></code>
+ object).</p>
+
+ </div>
<!--REMOVE-TOPIC:Security-->
Modified: source
===================================================================
--- source 2012-11-20 00:15:05 UTC (rev 7513)
+++ source 2012-11-20 01:14:35 UTC (rev 7514)
@@ -83005,6 +83005,20 @@
</ul>
+ <p>When a script whose <span>effective script origin</span> is not the same as the
+ <code>Location</code> object's associated <code>Document</code>'s <span>effective script
+ origin</span> attempts to access that <code>Location</code> object's methods or attributes, the
+ user agent must act as if any changes to the <code>Location</code> object's properties, getters,
+ setters, etc, were not present.</p>
+
+ <p>For members that return objects (including function objects), each distinct <span>effective
+ script origin</span> that is not the same as the <code>Location</code> object's
+ <code>Document</code>'s <span>effective script origin</span> must be provided with a separate set
+ of objects. These objects must have the prototype chain appropriate for the script for which the
+ objects are created (not those that would be appropriate for scripts whose <span>script's global
+ object</span> is the <code>Location</code> object's <code>Document</code>'s <code>Window</code>
+ object).</p>
+
</div>
<!--REMOVE-TOPIC:Security-->
More information about the Commit-Watchers
mailing list