W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 9 Jan 2013 22:28:37 +0100
Message-ID: <CADnb78gGV037cjD09U9MzvNcjrj1Ozy=h55i3OcmEnT861PQZQ@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: whatwg@lists.whatwg.org
On Tue, Jan 8, 2013 at 7:46 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Actually, that's not enough.  You have to security-check arguments too.
> Otherwise this:
>   document.createTreeWalker(crossFrameDoc, etc);
> would be bad.  (Note that right now the DOM spec fails to handle this, which
> is about what I would expect out of people creating APIs, which is why I
> would really prefer we define this on a low level where people can't screw
> up by forgetting it.)

You didn't file a bug on this I think. I did think HTML handled this
already though which is why it is not addressed in the DOM

Received on Wednesday, 9 January 2013 21:29:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:19 UTC