[whatwg] `window.location.origin` in sandboxed IFrames.

Ian Hickson ian at hixie.ch
Tue Jul 23 13:06:47 PDT 2013

On Thu, 10 Jan 2013, Mike West wrote:
> In WebKit, loading '<iframe sandbox="allow-scripts" 
> src="frame.html"></iframe>' with a framed document containing 
> '<script>alert(window.location.origin);</script>' alerts the actual 
> origin of the document, which wasn't what I expected. I'm not sure 
> what's intended, but I expected that treating the framed document as 
> existing in a unique origin would have some effect on the string output 
> as it's location's origin.
> Adam explained that WebKit currently treats the 'origin' attribute as 
> the origin of the document's location, not the origin of the 
> document[1]. This is generally benign, but surprised me in the sandboxed 
> case.
> What should the expected behavior in this case be? Given the way that 
> MessageEvent sets the origin of a message from a sandboxed frame to the 
> string "null", that seems like a reasonable option here as well.

I guess we have to decide whether "location.origin" is exposing 
information about the location, or information about the page. Since it's 
on Location, I think it'd make sense to be information about the location; 
document.origin would be where I'd expect information about the page 

When the page's origin doesn't match the URL's origin, the page's origin 
will always just serialise as "null", so it's not clear that it's actually 
useful to expose that really anyway. What would the use cases be?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list