[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
Ian Hickson
ian at hixie.ch
Wed Jan 9 16:41:05 PST 2013
On Wed, 9 Jan 2013, Boris Zbarsky wrote:
> On 1/9/13 4:33 PM, Adam Barth wrote:
> > For what it's worth, that doesn't appear to be necessary for web
> > compatibility. Any time WebKit would return a Document to a script in
> > another origin, WebKit returns null instead.
>
> The HTML spec requires that property access on documents use effective
> script origin for checks.
>
> Effective script origins are mutable.
>
> It is in fact possible to get your hands on a document in a different
> effective script origin in WebKit (thanks, document.domain).
Yeah but in that particular situation it's not a big deal to not have the
security check as far as I can tell. So if we can just return null
instead, it would allow us to remove those checks.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list