[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
Anne van Kesteren
annevk at annevk.nl
Wed Jan 9 13:28:37 PST 2013
On Tue, Jan 8, 2013 at 7:46 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> Actually, that's not enough. You have to security-check arguments too.
> Otherwise this:
>
> document.createTreeWalker(crossFrameDoc, etc);
>
> would be bad. (Note that right now the DOM spec fails to handle this, which
> is about what I would expect out of people creating APIs, which is why I
> would really prefer we define this on a low level where people can't screw
> up by forgetting it.)
You didn't file a bug on this I think. I did think HTML handled this
already though which is why it is not addressed in the DOM
specification.
--
http://annevankesteren.nl/
More information about the whatwg
mailing list