- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 21 Nov 2011 17:33:51 -0500
- To: public-html@w3.org
On 11/21/11 4:09 PM, Hallvord R. M. Steen wrote: > I know Opera has had (and still has) some security checks in DOM that > other browsers do not have - but here we're looking up 'contentDocument' > on 'iframe', and that certainly must be subject to security checks in > all UAs, right? In at least the case of Gecko, about:blank iframes have the same origin _object_ as the page that loaded them. That is, when document.domain is set on that iframe, it changes the document.domain of the page that loaded it as well (or more precisely, changes the single object that both documents have pointers to and which represents the origin of the outer page). Arguably the Gecko behavior here is sort of buggy.... > This currently causes a problem on eBay. Do we need to fix HTML5 to > align with Chrome/Firefox? It would be good to understand why it works in WebKit; I didn't think they did the same "share the origin object" thing Gecko does here. -Boris
Received on Monday, 21 November 2011 22:34:22 UTC