Re: document.write() and .close() allowed on IFRAME though its document.domain was set from Ian Hickson on 2012-01-31 (public-html@w3.org from January 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 31 Jan 2012 20:07:21 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
cc: public-html@w3.org, Adam Barth <abarth@eecs.berkeley.edu>
Message-ID: <Pine.LNX.4.64.1201312001030.3868@ps20323.dreamhostps.com>

On Mon, 21 Nov 2011, Boris Zbarsky wrote:
> On 11/21/11 4:09 PM, Hallvord R. M. Steen wrote:
> > I know Opera has had (and still has) some security checks in DOM that 
> > other browsers do not have - but here we're looking up 
> > 'contentDocument' on 'iframe', and that certainly must be subject to 
> > security checks in all UAs, right?
> 
> In at least the case of Gecko, about:blank iframes have the same origin 
> _object_ as the page that loaded them.
> 
> That is, when document.domain is set on that iframe, it changes the 
> document.domain of the page that loaded it as well (or more precisely, 
> changes the single object that both documents have pointers to and which 
> represents the origin of the outer page).
> 
> Arguably the Gecko behavior here is sort of buggy....
> 
> > This currently causes a problem on eBay. Do we need to fix HTML5 to 
> > align with Chrome/Firefox?
> 
> It would be good to understand why it works in WebKit; I didn't think 
> they did the same "share the origin object" thing Gecko does here.

We should either change one or more implementations here or change the 
spec.

Currently, I think the behaviour you describe for about:blank in Gecko is 
the same as what the spec has for srcdoc="" documents:

  The origin of the Document is the origin of the Document's browsing 
  context's browsing context container's Document.

The behaviour the spec has for about:blank isn't the same:

  The origin of the Document is the origin it was assigned when its 
  browsing context was created.

However, in neither case does document.domain in the spec work as you 
describe for Gecko, because in the spec, document.domain is set when the 
Document is created and is then no longer tied to the origin, so changing 
neither the inner frame's document.domain effective origin nor the outer 
frame's document.domain effective origin can actually change the origin or 
document.domain effective origin of the other.

I'm open to changing any of this, but it's a pretty hairy part of the spec 
so I'd rather not change it more than once... :-)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 31 January 2012 20:07:54 UTC