[whatwg] MessageEvent.domain, document.domain on a page whose URI has no domain (e.g. data:text/html, ...)
Adam Barth
hk9565 at gmail.com
Thu Jan 24 11:24:20 PST 2008
On Jan 24, 2008 10:59 AM, Jonas Sicking <jonas at sicking.cc> wrote:
> Note that this is a much bigger issue than simply what to return for
> document.domain. It's basically the question, what security context
> should data: documents and written-into documents use.
The security origin of frames that begin life with the URL
"about:blank" or "" differs in different browsers. In Firefox and the
trunk revision of WebKit, the principal for the frame is aliased to
the principal of the frame's parent (or opener, if it is a top-level
frame). In IE7, the frame appears to copy the principal.
http://crypto.stanford.edu/~abarth/research/html5/empty-frame/
The frame's window.location.href property matches the parent/opener in
Firefox, IE, and Safari:
http://crypto.stanford.edu/~abarth/research/html5/empty-frame/href.html
Adam
More information about the whatwg
mailing list