[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Boris Zbarsky bzbarsky at MIT.EDU
Tue Jan 8 05:16:12 PST 2013

On 1/8/13 2:16 AM, Ian Hickson wrote:
> I don't know about Document, but I can definitely think of APIs where it
> makes sense to be passing Window objects from other origins.

Yeah, I can see exceptions for Window, possibly.

> But if there's only one API that takes any of these four object types
> currently (I couldn't find any that took Document or Window in the HTML
> spec in a cursory look) then maybe it's not worth the bother. Wack a mole
> isn't _so_ bad if it's one mole a decade.

Actually, it is.  In a whack a mole situation every single API added to 
the platform has to be carefully audited to make sure it doesn't 
introduce a mole.  Which it won't be, because there are just not enough 
people qualified to do such an audit...


More information about the whatwg mailing list