[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Anne van Kesteren annevk at annevk.nl
Wed Jan 9 13:28:37 PST 2013

On Tue, Jan 8, 2013 at 7:46 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> Actually, that's not enough.  You have to security-check arguments too.
> Otherwise this:
>   document.createTreeWalker(crossFrameDoc, etc);
> would be bad.  (Note that right now the DOM spec fails to handle this, which
> is about what I would expect out of people creating APIs, which is why I
> would really prefer we define this on a low level where people can't screw
> up by forgetting it.)

You didn't file a bug on this I think. I did think HTML handled this
already though which is why it is not addressed in the DOM


More information about the whatwg mailing list