[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

Ian Hickson ian at hixie.ch
Wed Jan 9 16:41:05 PST 2013

On Wed, 9 Jan 2013, Boris Zbarsky wrote:
> On 1/9/13 4:33 PM, Adam Barth wrote:
> > For what it's worth, that doesn't appear to be necessary for web 
> > compatibility.  Any time WebKit would return a Document to a script in 
> > another origin, WebKit returns null instead.
> The HTML spec requires that property access on documents use effective 
> script origin for checks.
> Effective script origins are mutable.
> It is in fact possible to get your hands on a document in a different 
> effective script origin in WebKit (thanks, document.domain).

Yeah but in that particular situation it's not a big deal to not have the 
security check as far as I can tell. So if we can just return null 
instead, it would allow us to remove those checks.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list