[whatwg] MessageEvent.domain, document.domain on a page whose URI has no domain (e.g. data:text/html, ...)
Jonas Sicking
jonas at sicking.cc
Thu Jan 24 10:59:23 PST 2008
Jeff Walden wrote:
> The spec as currently written says that document.domain in a document
> located at a URI with no domain is null:
>
> data:text/html,<script>alert(document.domain);</script>
>
> Safari and Opera both alert the empty string for this; Firefox alerts null.
>
> There's also a domain property on MessageEvent, used with the
> cross-document postMessage API. The exact value of this property isn't
> quite clear in the current spec (which says the document has no domain
> but doesn't say what that translates into on the MessageEvent
> interface), but Opera and Safari both agree that the domain property
> should be the empty string when the page that calls postMessage is a
> data: URL.
>
> It seems that, for consistency, document.domain and MessageEvent.domain
> should both be the empty string in this case, for greatest cross-browser
> compatibility with the least change to the status quo, with the only
> change needing to happen in Firefox.
Note that this is a much bigger issue than simply what to return for
document.domain. It's basically the question, what security context
should data: documents and written-into documents use.
/ Jonas
More information about the whatwg
mailing list