W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Need to define same-origin policy for WebIDL operations/getters/setters

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 09 Jan 2013 17:18:28 -0500
Message-ID: <50EDECB4.8040002@mit.edu>
To: Adam Barth <w3c@adambarth.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Ian Hickson <ian@hixie.ch>
On 1/9/13 4:33 PM, Adam Barth wrote:
> For what it's worth, that doesn't appear to be necessary for web
> compatibility.  Any time WebKit would return a Document to a script in
> another origin, WebKit returns null instead.

The HTML spec requires that property access on documents use effective 
script origin for checks.

Effective script origins are mutable.

It is in fact possible to get your hands on a document in a different 
effective script origin in WebKit (thanks, document.domain).

Just saying,
Boris
Received on Wednesday, 9 January 2013 22:18:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT