[whatwg] Proposal: location.parentOrigin

Ian Hickson ian at hixie.ch
Tue Jul 16 10:53:36 PDT 2013


On Tue, 20 Nov 2012, Tobie Langel wrote:
> On Tue, Nov 20, 2012 at 6:47 AM, Ian Hickson <ian at hixie.ch> wrote:
> > On Mon, 26 Mar 2012, Adam Barth wrote:
> >>
> >> For nested browsing contexts, expose the origin of the parent 
> >> browsing context via location.parentOrigin.  (For non-nested browsing 
> >> context, the property would null.)
> >
> > This ended up implemented in WebKit as Location.ancestorOrigins(), a 
> > method that returns a static DOMStringList with the origins of the 
> > ancestor browsing contexts in reverse order (top-level browsing 
> > context last, parent browsing context first). It doesn't respect 
> > sandboxing.
> 
> This API is painful to use and doesn't contain any info for 
> window.opener or sibling browsing contexts (see WebKit bug[1] and 
> related discussion on G+[2]) which makes it useless for some of the use 
> cases.
> 
> A better API would allow to get the origin of a referenced browsing 
> context, e.g.:
> 
>     window.getOrigin(otherWindow);
> 
> and to check whether it came from the same origin (sugar around 
> window.getOrigin(otherWindow) == window.getOrigin(window)):
> 
>     window.isSameOrigin(otherWindow);
> 
> That said, one of the key use cases for this API is to code around a 
> Webkit bug[3] so maybe that should be fixed first.
>
> [1]: https://bugs.webkit.org/show_bug.cgi?id=83493
> [2]: https://plus.google.com/116910304844117268718/posts/QyHfGL9GBd5
> [3]: https://bugs.webkit.org/show_bug.cgi?id=43504

Would just exposing window.location.origin solve this?

Is there a privacy concern with doing that? It seems like it would be 
equivalent to the window.getOrigin(otherWindow) case above. parentOrigin 
doesn't have this problem because it's assumed that it's ok to access the 
origins of your ancestors, since you can't e.g. make one of your ancestors 
load a redirector URL and then read out its origin (since making your 
ancestor navigate will kill you).

Can't you do window.isSameOrigin by just trying to access 
window.location.href and seeing if you get an exception?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list