[whatwg] Calling HTMLDocument.open() should change the origin of the document to the caller's origin
ian at hixie.ch
Mon Apr 28 18:44:19 PDT 2008
On Wed, 23 Jan 2008, Jeff Walden wrote:
> The current verbiage describing open() says nothing about the document's
> origin reflecting that of the mutator, which is an oversight which
> should eventually be corrected. This came up when considering the
> values of the domain/uri properties on a MessageEvent created by a
> document.open()ed document which calls postMessage. Just making sure
> this gets in the queue to be addressed...
Since you can only call document.open() if you are same-origin or if both
you and the victim have set document.domain to the same value, it seems
that this is a non-issue. As it stands, the origin of the manufactured
document will match the URI of that document as given by window.location,
etc, instead of the origin of the document that created it, but that seems
to be the most consistent behaviour and thus desireable. (It can't be too
far from the other origin anyway, since document.domain must have been
used to get from one to the other.)
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg