[whatwg] MessageEvent.domain, document.domain on a page whose URI has no domain (e.g. data:text/html, ...)

Jonas Sicking jonas at sicking.cc
Thu Jan 24 10:59:23 PST 2008


Jeff Walden wrote:
> The spec as currently written says that document.domain in a document 
> located at a URI with no domain is null:
> 
> data:text/html,<script>alert(document.domain);</script>
> 
> Safari and Opera both alert the empty string for this; Firefox alerts null.
> 
> There's also a domain property on MessageEvent, used with the 
> cross-document postMessage API.  The exact value of this property isn't 
> quite clear in the current spec (which says the document has no domain 
> but doesn't say what that translates into on the MessageEvent 
> interface), but Opera and Safari both agree that the domain property 
> should be the empty string when the page that calls postMessage is a 
> data: URL.
> 
> It seems that, for consistency, document.domain and MessageEvent.domain 
> should both be the empty string in this case, for greatest cross-browser 
> compatibility with the least change to the status quo, with the only 
> change needing to happen in Firefox.

Note that this is a much bigger issue than simply what to return for
document.domain. It's basically the question, what security context
should data: documents and written-into documents use.

/ Jonas




More information about the whatwg mailing list