- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sat, 15 Dec 2012 13:43:35 -0500
- To: "public-script-coord@w3.org" <public-script-coord@w3.org>
- CC: whatwg <whatwg@lists.whatwg.org>
Ccing whatwg because that's where the whole "origin" thing is currently defined. Consider this testcase: <iframe src="http://w3.org"></iframe><script> window.onload = function () { try { var doc = document.querySelector("iframe").contentDocument; var list = document.getElementsByTagName.call(doc, "*"); alert(list.item(0).textContent); } catch (e) { alert(e); } }</script> This throws in Safari, Chrome, Firefox, and Opera, all on the "getElementsByTagName.call" bit (except when loaded via file:// in Safari, in which case it actually lets you read all data from random website in the iframe). But I see nothing in the specs that requires this behavior, or indeed even allows it. The security bits currently in the html spec talk about property access on cross-origin Document and Window, but in this case there is no property access happening on them per se... In any case, this needs to be defined somewhere. -Boris
Received on Saturday, 15 December 2012 18:44:04 UTC