- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Tue, 18 Nov 2014 20:30:51 -0500
- To: public-webappsec@w3.org
On 11/18/14, 6:40 PM, Brad Hill wrote:
> location.origin reports the origin even when inside an origin
> sandbox that tests as null elsewhere.
That's because location.origin seems to be defined as the origin of the
location URL, not the origin of the document... This can be an issue in
other situations too; for the simplest example, consider this testcase:
<iframe></iframe>
<script>
alert("Origin: '" + frames[0].location.origin + "'");
</script>
Live version at <http://jsfiddle.net/5kLqceqs/>. The subframe location
is about:blank, so location.origin is "null", but the document origin is
an alias of the parent document origin,
> Firefox supports the sandbox attribute of iframe, but not the
> sandbox CSP directive.
Indeed. https://bugzilla.mozilla.org/show_bug.cgi?id=671389
> Workers in Firefox cannot create sub-Workers form a blob: (no
> window.URL.createObjectURL method).
Well, no "window". But self.URL.createObjectURL or just
URL.createObjectURL should work in Firefox 21 and newer. And seems to
work fine for starting a sub-Worker too. See
<http://web.mit.edu/bzbarsky/www/testcases/workers/test-worker-from-blob-in-worker.html>.
> Otherwise, they agree pretty well, except that Chrome reports the
> location.origin of a blob created with allow-same-origin as the
> origin of the creating page, or the string "://" if from a
> sandboxed origin, and Firefox always reports location.origin of a
> blob as "null".
Hmm. There were some recent spec changes in this area; I don't recall
what the right behavior here is nowadays. It's possible that one or
both are buggy (e.g. I doubt "://" is ever a valid origin).
-Boris
Received on Wednesday, 19 November 2014 01:31:18 UTC