[whatwg] document.open() and security context

Adam Barth whatwg at adambarth.com
Fri Jun 13 23:48:46 PDT 2008


The current description of document.open(), at
<http://www.whatwg.org/specs/web-apps/current-work/#open> doesn't
mention the method's effect on the document's security context.

The document.open() method replaces the document's security context
with the security context of the currently executing script.  In
particular, the following properties are replaced:

1) document.URL becomes the URL of the document of the currently
executing script.

2) document.baseURI becomes the URL of the document of the currently
executing script (not it's baseURI).

3) The document's origin and effective script origin become the origin
and the effective script origin of the currently executing script.
(Note: actually, the origins are aliased, as in the about:blank case,
so that changes to one of the document's document.domain property
affects the other.)

4) The document's cookie context becomes the cookie context of the
document of the currently executing script.

There may be other things that get clobbered as well, but those were
the ones I found.

This is available in code form, along with numerous tests, at
<http://trac.webkit.org/changeset/34506>.

Adam



More information about the whatwg mailing list