- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Mon, 21 Nov 2011 22:09:38 +0100
- To: "public-html list" <public-html@w3.org>
Hi, I'm trying to figure out what sort of loophole lets Chrome and Firefox run this code without any security exceptions: http://www.hallvord.com/temp/domain.htm The gist is this snippet running in the parent page, changing the IFRAME: iframe.contentDocument.write('will set document.domain in IFRAME to hallvord.com<br>'); iframe.contentDocument.domain = 'hallvord.com'; iframe.contentDocument.write('<br>document.domain in IFRAME now: '+iframe.contentDocument.domain); From HTML5's text on origin as currently written, from other tests and from Opera's behaviour I'd expect the third line above to throw an exception because the origin of the IFRAME's document is now different from the parent. I know Opera has had (and still has) some security checks in DOM that other browsers do not have - but here we're looking up 'contentDocument' on 'iframe', and that certainly must be subject to security checks in all UAs, right? This currently causes a problem on eBay. Do we need to fix HTML5 to align with Chrome/Firefox? -- Hallvord R. M. Steen, Core Tester, Opera Software http://www.opera.com http://my.opera.com/hallvors/
Received on Monday, 21 November 2011 21:10:06 UTC