document.write() and .close() allowed on IFRAME though its document.domain was set from Hallvord R. M. Steen on 2011-11-21 (public-html@w3.org from November 2011)

From: Hallvord R. M. Steen <hallvord@opera.com>
Date: Mon, 21 Nov 2011 22:09:38 +0100
To: "public-html list" <public-html@w3.org>
Message-ID: <op.v5beecaaa3v5gv@hr-opera.getinternet.no>

Hi,
I'm trying to figure out what sort of loophole lets Chrome and Firefox run  
this code without any security exceptions:
http://www.hallvord.com/temp/domain.htm

The gist is this snippet running in the parent page, changing the IFRAME:

iframe.contentDocument.write('will set document.domain in IFRAME to  
hallvord.com<br>');
iframe.contentDocument.domain = 'hallvord.com';
iframe.contentDocument.write('<br>document.domain in IFRAME now:  
'+iframe.contentDocument.domain);

 From HTML5's text on origin as currently written, from other tests and  
 from Opera's behaviour I'd expect the third line above to throw an  
exception because the origin of the IFRAME's document is now different  
 from the parent.

I know Opera has had (and still has) some security checks in DOM that  
other browsers do not have - but here we're looking up 'contentDocument'  
on 'iframe', and that certainly must be subject to security checks in all  
UAs, right?

This currently causes a problem on eBay. Do we need to fix HTML5 to align  
with Chrome/Firefox?

-- 
Hallvord R. M. Steen, Core Tester, Opera Software
http://www.opera.com http://my.opera.com/hallvors/

Received on Monday, 21 November 2011 21:10:06 UTC