[whatwg] Origin feedback

Ian Hickson wrote:
> On Wed, 30 Apr 2008, Jonas Sicking wrote:
>>> The aliasing behaviour seems really dodgy. I've specced the copying 
>>> behaviour, which also matches Opera.
>> The reason you want to use aliasing is in a situation like this (file 
>> loaded from www.example.com) :
>>
>> <html>
>>   <body>
>>   <iframe id=f></iframe>
>>   <script>
>> onload = function() {
>>   document.domain = "example.com";
>>   document.getElementById('f').contentDocument.write("hello world");
>> }
>>   </script>
>>   </body>
>> </html>
>>
>> the document.domain call changes the outer documents principal. If there 
>> was no aliasing then the .write call would result in a security 
>> exception stating that content from "example.com" doesn't have access to 
>> "www.example.com".
> 
> Yes, you want a security exception there. That's what IE does, in fact. 
> (Opera too.)

Why do you want that? That seems very counter intuitive to me (though 
unfortunately lots of document.domain behavior is).

/ Jonas

Received on Wednesday, 30 April 2008 15:11:27 UTC