[whatwg] Origin feedback
Ian Hickson
ian at hixie.ch
Sat Nov 29 20:00:13 PST 2008
On Wed, 30 Apr 2008, Jonas Sicking wrote:
> Ian Hickson wrote:
> > On Wed, 30 Apr 2008, Jonas Sicking wrote:
> > > > The aliasing behaviour seems really dodgy. I've specced the copying
> > > > behaviour, which also matches Opera.
> > > The reason you want to use aliasing is in a situation like this (file
> > > loaded from www.example.com) :
> > >
> > > <html>
> > > <body>
> > > <iframe id=f></iframe>
> > > <script>
> > > onload = function() {
> > > document.domain = "example.com";
> > > document.getElementById('f').contentDocument.write("hello world");
> > > }
> > > </script>
> > > </body>
> > > </html>
> > >
> > > the document.domain call changes the outer documents principal. If there
> > > was no aliasing then the .write call would result in a security exception
> > > stating that content from "example.com" doesn't have access to
> > > "www.example.com".
> >
> > Yes, you want a security exception there. That's what IE does, in fact.
> > (Opera too.)
>
> Why do you want that? That seems very counter intuitive to me (though
> unfortunately lots of document.domain behavior is).
You want that behavior to avoid having to define aliasing and such-like.
This security model is complex enough as it is; we don't want to make it
worse than absolutely necessary.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list