[whatwg] Origin feedback
Jonas Sicking
jonas at sicking.cc
Wed Apr 30 15:11:27 PDT 2008
Ian Hickson wrote:
> On Wed, 30 Apr 2008, Jonas Sicking wrote:
>>> The aliasing behaviour seems really dodgy. I've specced the copying
>>> behaviour, which also matches Opera.
>> The reason you want to use aliasing is in a situation like this (file
>> loaded from www.example.com) :
>>
>> <html>
>> <body>
>> <iframe id=f></iframe>
>> <script>
>> onload = function() {
>> document.domain = "example.com";
>> document.getElementById('f').contentDocument.write("hello world");
>> }
>> </script>
>> </body>
>> </html>
>>
>> the document.domain call changes the outer documents principal. If there
>> was no aliasing then the .write call would result in a security
>> exception stating that content from "example.com" doesn't have access to
>> "www.example.com".
>
> Yes, you want a security exception there. That's what IE does, in fact.
> (Opera too.)
Why do you want that? That seems very counter intuitive to me (though
unfortunately lots of document.domain behavior is).
/ Jonas
More information about the whatwg
mailing list