[whatwg] sandboxed documents and cookies

Ian Hickson ian at hixie.ch
Mon Jul 9 18:07:15 PDT 2012

On Fri, 15 Jun 2012, Ian Melven wrote:
> in https://bugzilla.mozilla.org/show_bug.cgi?id=341604#c180, David-Sarah 
> Hopwood makes a few points about cookies in sandboxed documents :
> "Ugh, that's mandating an information leak about whether the document 
> has cookies. Maybe a minor leak, but I don't understand why it should 
> exist: if allow-same-origin is not set, then the clear intent is that no 
> information about cookies should be available."
> "Oh, and another reason not to do it that way is that it's a testing 
> hazard for web developers. They test when there are no cookies, it 
> works, then the parent document adds cookies (which has no reason to 
> make any difference), and it breaks because the code in the sandboxed 
> document didn't expect the exception."
> The spec (http://dev.w3.org/html5/spec/dom.html#sandboxCookies) says : 
> "On getting, if the document is a cookie-free Document object, then the 
> user agent must return the empty string. Otherwise, if the Document's 
> origin is not a scheme/host/port tuple, the user agent must throw a 
> SecurityError exception."
> IE 10, Chrome and the patches I am working on for Firefox all throw a 
> SecurityError even if no cookies are set - i agree that this seems like 
> the correct behaviour.

I believe you have a mistaken understanding of what "cookie-free Document" 
meant. I've renamed the term to avoid the confusing interpretation. It's 
now called a "cookie-averse Document". Please let me know if you still 
think the logic described in the specification is incorrect.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list