[whatwg] Proposal: location.parentOrigin
Ian Hickson
ian at hixie.ch
Tue Jul 16 10:53:36 PDT 2013
On Tue, 20 Nov 2012, Tobie Langel wrote:
> On Tue, Nov 20, 2012 at 6:47 AM, Ian Hickson <ian at hixie.ch> wrote:
> > On Mon, 26 Mar 2012, Adam Barth wrote:
> >>
> >> For nested browsing contexts, expose the origin of the parent
> >> browsing context via location.parentOrigin. (For non-nested browsing
> >> context, the property would null.)
> >
> > This ended up implemented in WebKit as Location.ancestorOrigins(), a
> > method that returns a static DOMStringList with the origins of the
> > ancestor browsing contexts in reverse order (top-level browsing
> > context last, parent browsing context first). It doesn't respect
> > sandboxing.
>
> This API is painful to use and doesn't contain any info for
> window.opener or sibling browsing contexts (see WebKit bug[1] and
> related discussion on G+[2]) which makes it useless for some of the use
> cases.
>
> A better API would allow to get the origin of a referenced browsing
> context, e.g.:
>
> window.getOrigin(otherWindow);
>
> and to check whether it came from the same origin (sugar around
> window.getOrigin(otherWindow) == window.getOrigin(window)):
>
> window.isSameOrigin(otherWindow);
>
> That said, one of the key use cases for this API is to code around a
> Webkit bug[3] so maybe that should be fixed first.
>
> [1]: https://bugs.webkit.org/show_bug.cgi?id=83493
> [2]: https://plus.google.com/116910304844117268718/posts/QyHfGL9GBd5
> [3]: https://bugs.webkit.org/show_bug.cgi?id=43504
Would just exposing window.location.origin solve this?
Is there a privacy concern with doing that? It seems like it would be
equivalent to the window.getOrigin(otherWindow) case above. parentOrigin
doesn't have this problem because it's assumed that it's ok to access the
origins of your ancestors, since you can't e.g. make one of your ancestors
load a redirector URL and then read out its origin (since making your
ancestor navigate will kill you).
Can't you do window.isSameOrigin by just trying to access
window.location.href and seeing if you get an exception?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list