W3C home > Mailing lists > Public > public-html@w3.org > February 2012

Re: document.write() and .close() allowed on IFRAME though its document.domain was set

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 02 Feb 2012 15:57:47 -0500
Message-ID: <4F2AF8CB.30504@mit.edu>
To: Adam Barth <w3c@adambarth.com>
CC: Ian Hickson <ian@hixie.ch>, public-html@w3.org
On 2/2/12 3:16 PM, Adam Barth wrote:
> 2) When one frame inherits an origin from another, the origin objects
> themselves are aliased

Ah, there we go.  That's what Gecko does as well, basically.

Perhaps we just need to spec that...

> 3) Whenever a script associated with document A calls document.open()
> on another document B (or when document.open() is called implicitly,
> e.g. by document.write()), document B's URL and cookie context get
> overridden with the corresponding information information from
> document A.  In addition, document B's origin gets replaced with an
> alias to document A's origin.

Gecko does this as well.

> In the test above, there is only ever one origin (and a bunch of
> aliases to it)

Yeah, makes sense.  Sounds like the spec needs to change.

-Boris
Received on Thursday, 2 February 2012 20:58:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:43 GMT