[whatwg] Origin feedback

Jonas Sicking jonas at sicking.cc
Wed Apr 30 14:01:35 PDT 2008


> On Thu, 24 Jan 2008, Adam Barth wrote:
>> The security origin of frames that begin life with the URL "about:blank" 
>> or "" differs in different browsers.  In Firefox and the trunk revision 
>> of WebKit, the principal for the frame is aliased to the principal of 
>> the frame's parent (or opener, if it is a top-level frame).  In IE7, the 
>> frame appears to copy the principal.
>>
>> http://crypto.stanford.edu/~abarth/research/html5/empty-frame/
>>
>> The frame's window.location.href property matches the parent/opener in 
>> Firefox, IE, and Safari:
>>
>> http://crypto.stanford.edu/~abarth/research/html5/empty-frame/href.html
> 
> The aliasing behaviour seems really dodgy. I've specced the copying 
> behaviour, which also matches Opera.

The reason you want to use aliasing is in a situation like this (file 
loaded from www.example.com) :

<html>
   <body>
   <iframe id=f></iframe>
   <script>
onload = function() {
   document.domain = "example.com";
   document.getElementById('f').contentDocument.write("hello world");
}
   </script>
   </body>
</html>

the document.domain call changes the outer documents principal. If there 
was no aliasing then the .write call would result in a security 
exception stating that content from "example.com" doesn't have access to 
"www.example.com".

Similarly (file loaded from www.example.com) :

<html>
   <body>
   <script>
onload = function() {
   xhr = new XMLHttpRequest();
   xhr.open("GET", "http://www.example.com/data.xml", false);
   xhr.send(null);
   doc = xhr.responseXML;
   doc.documentElement;
   document.domain = "example.com";
   doc.documentElement;
}
   </script>
   </body>
</html>

Without the XHR document "aliasing" the principal of the main document, 
the first doc.documentElement call will succeed, but the second with 
throw a security error.

/ Jonas



More information about the whatwg mailing list