On 1/8/13 1:42 AM, Boris Zbarsky wrote: >On 1/7/13 11:28 PM, Ian Hickson wrote: >> The check is the same -- if the Document that is the "this" to >> which the property is being applied doesn't match the origin of the >> script >> that is doing the applying, throw SecurityError. Actually, that's not enough. You have to security-check arguments too. Otherwise this: document.createTreeWalker(crossFrameDoc, etc); would be bad. (Note that right now the DOM spec fails to handle this, which is about what I would expect out of people creating APIs, which is why I would really prefer we define this on a low level where people can't screw up by forgetting it.) -BorisReceived on Tuesday, 8 January 2013 06:46:57 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT