[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Boris Zbarsky bzbarsky at MIT.EDU
Sat Dec 15 10:43:35 PST 2012

Ccing whatwg because that's where the whole "origin" thing is currently 

Consider this testcase:

<iframe src="http://w3.org"></iframe><script>
window.onload = function () {
   try {
     var doc = document.querySelector("iframe").contentDocument;
     var list = document.getElementsByTagName.call(doc, "*");
   } catch (e) {

This throws in Safari, Chrome, Firefox, and Opera, all on the 
"getElementsByTagName.call" bit (except when loaded via file:// in 
Safari, in which case it actually lets you read all data from random 
website in the iframe).

But I see nothing in the specs that requires this behavior, or indeed 
even allows it.  The security bits currently in the html spec talk about 
property access on cross-origin Document and Window, but in this case 
there is no property access happening on them per se...

In any case, this needs to be defined somewhere.


More information about the whatwg mailing list