- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 17 Jun 2013 07:50:38 -0400
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: whatwg <whatwg@whatwg.org>, Ian Hickson <ian@hixie.ch>, Adam Barth <abarth@eecs.berkeley.edu>
On 6/17/13 7:38 AM, Anne van Kesteren wrote: > On Fri, Nov 30, 2012 at 11:47 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: >> Right. My point was that "cross-origin" for the case of stylesheet at least >> in Gecko depends on the origin of the script that tries to modify them, not >> on the origin of the document that linked to them... > > Is there a good reason for this? This seems fairly distinct from how > <img>, <script>, and <video> work. Just in terms of considering effective script origins instead of origins? <img> and <video> compare the origin of the canvas to the origin of the image/video, if you mean the security check I think you mean. It explicitly doesn't use effective script origin because you can't set that on <img>. <script>, if you mean the onerror checks, in Gecko checks whether the effective script origin of the window whose onerror is about to fire matches the origin of the script. And we make the origin of the script an alias of the effective script origin of the document it's loaded into in cases when the script was either loaded no-cors or passed cors security checks. What do other UAs do? Again, the default security check in Gecko is always against effective script origin, so any check that predates a recent spec is always that way. Whether there's a good reason for it needs to be checked on a case-by-case basis. -Boris
Received on Monday, 17 June 2013 11:51:06 UTC