[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
w3c at adambarth.com
Wed Jan 9 14:19:55 PST 2013
On Wed, Jan 9, 2013 at 2:18 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 1/9/13 4:33 PM, Adam Barth wrote:
>> For what it's worth, that doesn't appear to be necessary for web
>> compatibility. Any time WebKit would return a Document to a script in
>> another origin, WebKit returns null instead.
> The HTML spec requires that property access on documents use effective
> script origin for checks.
> Effective script origins are mutable.
> It is in fact possible to get your hands on a document in a different
> effective script origin in WebKit (thanks, document.domain).
Those checks are neither required for compatibility nor security. The
spec might say to perform the checks, but they aren't needed to build
a secure, compatible browser.
More information about the whatwg