[whatwg] `window.location.origin` in sandboxed IFrames.

Mike West mkwst at google.com
Wed Jan 9 15:17:07 PST 2013


In WebKit, loading '<iframe sandbox="allow-scripts"
src="frame.html"></iframe>' with a framed document containing
'<script>alert(window.location.origin);</script>' alerts the actual
origin of the document, which wasn't what I expected. I'm not sure
what's intended, but I expected that treating the framed document as
existing in a unique origin would have some effect on the string
output as it's location's origin.

Adam explained that WebKit currently treats the 'origin' attribute as
the origin of the document's location, not the origin of the
document[1]. This is generally benign, but surprised me in the
sandboxed case.

What should the expected behavior in this case be? Given the way that
MessageEvent sets the origin of a message from a sandboxed frame to
the string "null", that seems like a reasonable option here as well.


[1]: https://bugs.webkit.org/show_bug.cgi?id=106488#c1

Mike West <mkwst at google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

More information about the whatwg mailing list