W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

[whatwg] `window.location.origin` in sandboxed IFrames.

From: Mike West <mkwst@google.com>
Date: Thu, 10 Jan 2013 00:17:07 +0100
Message-ID: <CAKXHy=d=T=VDq+Tz9p3gTWFkuBC8=GXfiVh5_pjAOdCNUAWTfA@mail.gmail.com>
To: whatwg@whatwg.org
Cc: Adam Barth <w3c@adambarth.com>
Hello!

In WebKit, loading '<iframe sandbox="allow-scripts"
src="frame.html"></iframe>' with a framed document containing
'<script>alert(window.location.origin);</script>' alerts the actual
origin of the document, which wasn't what I expected. I'm not sure
what's intended, but I expected that treating the framed document as
existing in a unique origin would have some effect on the string
output as it's location's origin.

Adam explained that WebKit currently treats the 'origin' attribute as
the origin of the document's location, not the origin of the
document[1]. This is generally benign, but surprised me in the
sandboxed case.

What should the expected behavior in this case be? Given the way that
MessageEvent sets the origin of a message from a sandboxed frame to
the string "null", that seems like a reasonable option here as well.

WDYT?

[1]: https://bugs.webkit.org/show_bug.cgi?id=106488#c1

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Wednesday, 9 January 2013 23:17:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT