[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
Boris Zbarsky
bzbarsky at MIT.EDU
Mon Jan 7 22:46:27 PST 2013
On 1/8/13 1:42 AM, Boris Zbarsky wrote:
>On 1/7/13 11:28 PM, Ian Hickson wrote:
>> The check is the same -- if the Document that is the "this" to
>> which the property is being applied doesn't match the origin of the
>> script
>> that is doing the applying, throw SecurityError.
Actually, that's not enough. You have to security-check arguments too.
Otherwise this:
document.createTreeWalker(crossFrameDoc, etc);
would be bad. (Note that right now the DOM spec fails to handle this,
which is about what I would expect out of people creating APIs, which is
why I would really prefer we define this on a low level where people
can't screw up by forgetting it.)
-Boris
More information about the whatwg
mailing list