[whatwg] Origin feedback
Jonas Sicking
jonas at sicking.cc
Wed Apr 30 14:01:35 PDT 2008
> On Thu, 24 Jan 2008, Adam Barth wrote:
>> The security origin of frames that begin life with the URL "about:blank"
>> or "" differs in different browsers. In Firefox and the trunk revision
>> of WebKit, the principal for the frame is aliased to the principal of
>> the frame's parent (or opener, if it is a top-level frame). In IE7, the
>> frame appears to copy the principal.
>>
>> http://crypto.stanford.edu/~abarth/research/html5/empty-frame/
>>
>> The frame's window.location.href property matches the parent/opener in
>> Firefox, IE, and Safari:
>>
>> http://crypto.stanford.edu/~abarth/research/html5/empty-frame/href.html
>
> The aliasing behaviour seems really dodgy. I've specced the copying
> behaviour, which also matches Opera.
The reason you want to use aliasing is in a situation like this (file
loaded from www.example.com) :
<html>
<body>
<iframe id=f></iframe>
<script>
onload = function() {
document.domain = "example.com";
document.getElementById('f').contentDocument.write("hello world");
}
</script>
</body>
</html>
the document.domain call changes the outer documents principal. If there
was no aliasing then the .write call would result in a security
exception stating that content from "example.com" doesn't have access to
"www.example.com".
Similarly (file loaded from www.example.com) :
<html>
<body>
<script>
onload = function() {
xhr = new XMLHttpRequest();
xhr.open("GET", "http://www.example.com/data.xml", false);
xhr.send(null);
doc = xhr.responseXML;
doc.documentElement;
document.domain = "example.com";
doc.documentElement;
}
</script>
</body>
</html>
Without the XHR document "aliasing" the principal of the main document,
the first doc.documentElement call will succeed, but the second with
throw a security error.
/ Jonas
More information about the whatwg
mailing list