[whatwg] Origin feedback
ian at hixie.ch
Mon Apr 28 20:08:06 PDT 2008
On Wed, 23 Jan 2008, Jeff Walden wrote:
> The spec as currently written says that document.domain in a document
> located at a URI with no domain is null:
> Safari and Opera both alert the empty string for this; Firefox alerts
I've changed it to empty string.
> There's also a domain property on MessageEvent, used with the
> cross-document postMessage API. The exact value of this property isn't
> quite clear in the current spec (which says the document has no domain
> but doesn't say what that translates into on the MessageEvent
> interface), but Opera and Safari both agree that the domain property
> should be the empty string when the page that calls postMessage is a
> data: URL.
This is now specified in detail.
On Thu, 24 Jan 2008, Jonas Sicking wrote:
> Note that this is a much bigger issue than simply what to return for
> document.domain. It's basically the question, what security context
> should data: documents and written-into documents use.
This is now defined, I believe, though there may be issues. Let me know if
the current definitions break with any sites.
On Thu, 24 Jan 2008, Adam Barth wrote:
> The security origin of frames that begin life with the URL "about:blank"
> or "" differs in different browsers. In Firefox and the trunk revision
> of WebKit, the principal for the frame is aliased to the principal of
> the frame's parent (or opener, if it is a top-level frame). In IE7, the
> frame appears to copy the principal.
> The frame's window.location.href property matches the parent/opener in
> Firefox, IE, and Safari:
The aliasing behaviour seems really dodgy. I've specced the copying
behaviour, which also matches Opera.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg