W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 9 Jan 2013 22:28:37 +0100
Message-ID: <CADnb78gGV037cjD09U9MzvNcjrj1Ozy=h55i3OcmEnT861PQZQ@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: whatwg@lists.whatwg.org
On Tue, Jan 8, 2013 at 7:46 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Actually, that's not enough.  You have to security-check arguments too.
> Otherwise this:
>
>   document.createTreeWalker(crossFrameDoc, etc);
>
> would be bad.  (Note that right now the DOM spec fails to handle this, which
> is about what I would expect out of people creating APIs, which is why I
> would really prefer we define this on a low level where people can't screw
> up by forgetting it.)

You didn't file a bug on this I think. I did think HTML handled this
already though which is why it is not addressed in the DOM
specification.


-- 
http://annevankesteren.nl/
Received on Wednesday, 9 January 2013 21:29:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT