[whatwg] Origin feedback

Ian Hickson ian at hixie.ch
Wed Apr 30 14:59:25 PDT 2008


On Wed, 30 Apr 2008, Jonas Sicking wrote:
> >
> > The aliasing behaviour seems really dodgy. I've specced the copying 
> > behaviour, which also matches Opera.
> 
> The reason you want to use aliasing is in a situation like this (file 
> loaded from www.example.com) :
> 
> <html>
>   <body>
>   <iframe id=f></iframe>
>   <script>
> onload = function() {
>   document.domain = "example.com";
>   document.getElementById('f').contentDocument.write("hello world");
> }
>   </script>
>   </body>
> </html>
> 
> the document.domain call changes the outer documents principal. If there 
> was no aliasing then the .write call would result in a security 
> exception stating that content from "example.com" doesn't have access to 
> "www.example.com".

Yes, you want a security exception there. That's what IE does, in fact. 
(Opera too.)


> Similarly (file loaded from www.example.com) :
> 
> <html>
>   <body>
>   <script>
> onload = function() {
>   xhr = new XMLHttpRequest();
>   xhr.open("GET", "http://www.example.com/data.xml", false);
>   xhr.send(null);
>   doc = xhr.responseXML;
>   doc.documentElement;
>   document.domain = "example.com";
>   doc.documentElement;
> }
>   </script>
>   </body>
> </html>
> 
> Without the XHR document "aliasing" the principal of the main document, 
> the first doc.documentElement call will succeed, but the second with 
> throw a security error.

Agreed. I've made XHR documents track the origin of the document of the 
window that the XHR object was from, and made document.domain throw when 
called on such documents.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list