[whatwg] sandboxed documents and cookies

Adam Barth w3c at adambarth.com
Fri Jun 15 16:08:27 PDT 2012

On Fri, Jun 15, 2012 at 3:46 PM, Ian Melven <imelven at mozilla.com> wrote:
> in https://bugzilla.mozilla.org/show_bug.cgi?id=341604#c180, David-Sarah Hopwood
> makes a few points about cookies in sandboxed documents :
> "Ugh, that's mandating an information leak about whether the document has cookies. Maybe a minor leak,
> but I don't understand why it should exist: if allow-same-origin is not set, then the clear intent is
> that no information about cookies should be available."
> "Oh, and another reason not to do it that way is that it's a testing hazard for web developers. They test when there are no cookies, it works, then the parent document adds cookies (which has no reason to make any difference), and it breaks because the code in the sandboxed document didn't expect the exception."
> The spec (http://dev.w3.org/html5/spec/dom.html#sandboxCookies) says : "On
> getting, if the document is a cookie-free Document object, then the user
> agent must return the empty string. Otherwise, if the Document's origin is
> not a scheme/host/port tuple, the user agent must throw a SecurityError
> exception."
> IE 10, Chrome and the patches I am working on for Firefox all throw a SecurityError
> even if no cookies are set - i agree that this seems like the correct behaviour.

Yeah, that's much easier to implement and more consistent.


More information about the whatwg mailing list