- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 02 Apr 2012 09:39:31 -0400
- To: Simon Pieters <simonp@opera.com>
- CC: Cameron McCormack <cam@mcc.id.au>, public-webapps@w3.org, "public-script-coord@w3.org" <public-script-coord@w3.org>
On 4/2/12 2:50 AM, Simon Pieters wrote: > I can find: > > "User agents must throw a SecurityError exception whenever any > properties of a Document object are accessed by scripts whose effective > script origin is not the same as the Document's effective script origin." > http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#documents Yeah. That sort of language is needed somewhere for all objects, not just Documents. > I don't know how well this matches reality though. Reasonably well, last I checked, for window and document. > It seems the spec forbids access to iframe.contentWindow.document but > allows iframe.contentDocument. Yes. That's largely what implementations do... -Boris
Received on Monday, 2 April 2012 13:40:10 UTC