[whatwg] sandboxed documents and cookies
Ian Hickson
ian at hixie.ch
Mon Jul 9 18:07:15 PDT 2012
On Fri, 15 Jun 2012, Ian Melven wrote:
>
> in https://bugzilla.mozilla.org/show_bug.cgi?id=341604#c180, David-Sarah
> Hopwood makes a few points about cookies in sandboxed documents :
>
> "Ugh, that's mandating an information leak about whether the document
> has cookies. Maybe a minor leak, but I don't understand why it should
> exist: if allow-same-origin is not set, then the clear intent is that no
> information about cookies should be available."
>
> "Oh, and another reason not to do it that way is that it's a testing
> hazard for web developers. They test when there are no cookies, it
> works, then the parent document adds cookies (which has no reason to
> make any difference), and it breaks because the code in the sandboxed
> document didn't expect the exception."
>
> The spec (http://dev.w3.org/html5/spec/dom.html#sandboxCookies) says :
> "On getting, if the document is a cookie-free Document object, then the
> user agent must return the empty string. Otherwise, if the Document's
> origin is not a scheme/host/port tuple, the user agent must throw a
> SecurityError exception."
>
> IE 10, Chrome and the patches I am working on for Firefox all throw a
> SecurityError even if no cookies are set - i agree that this seems like
> the correct behaviour.
I believe you have a mistaken understanding of what "cookie-free Document"
meant. I've renamed the term to avoid the confusing interpretation. It's
now called a "cookie-averse Document". Please let me know if you still
think the logic described in the specification is incorrect.
Thanks,
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list