[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
bzbarsky at MIT.EDU
Tue Jan 8 05:16:12 PST 2013
On 1/8/13 2:16 AM, Ian Hickson wrote:
> I don't know about Document, but I can definitely think of APIs where it
> makes sense to be passing Window objects from other origins.
Yeah, I can see exceptions for Window, possibly.
> But if there's only one API that takes any of these four object types
> currently (I couldn't find any that took Document or Window in the HTML
> spec in a cursory look) then maybe it's not worth the bother. Wack a mole
> isn't _so_ bad if it's one mole a decade.
Actually, it is. In a whack a mole situation every single API added to
the platform has to be carefully audited to make sure it doesn't
introduce a mole. Which it won't be, because there are just not enough
people qualified to do such an audit...
More information about the whatwg