[whatwg] sandboxed documents and cookies

Ian Melven imelven at mozilla.com
Fri Jun 15 15:46:08 PDT 2012


in https://bugzilla.mozilla.org/show_bug.cgi?id=341604#c180, David-Sarah Hopwood
makes a few points about cookies in sandboxed documents :

"Ugh, that's mandating an information leak about whether the document has cookies. Maybe a minor leak,
but I don't understand why it should exist: if allow-same-origin is not set, then the clear intent is 
that no information about cookies should be available."

"Oh, and another reason not to do it that way is that it's a testing hazard for web developers. They test when there are no cookies, it works, then the parent document adds cookies (which has no reason to make any difference), and it breaks because the code in the sandboxed document didn't expect the exception."

The spec (http://dev.w3.org/html5/spec/dom.html#sandboxCookies) says : "On
getting, if the document is a cookie-free Document object, then the user
agent must return the empty string. Otherwise, if the Document's origin is
not a scheme/host/port tuple, the user agent must throw a SecurityError

IE 10, Chrome and the patches I am working on for Firefox all throw a SecurityError
even if no cookies are set - i agree that this seems like the correct behaviour.


More information about the whatwg mailing list