- From: Hallvord Reiar M. Steen <hallvord@opera.com>
- Date: Fri, 07 Jun 2013 13:27:44 +0200
- To: public-script-coord@w3.org
Hi,
I'm trying to settle on pass conditions for a test probing the
implementation's same-origin policy.This might be the right mailing list
for this question..
The browsers I test with differ and I'm not sure if this is covered by any
spec, so it's a bit hard to decide what the right pass condition is. This
is the issue:
* Given a HTML document with an IFRAME tag which has content from a
different origin
* Given that the IFRAME defines global variables and methods 'foo' and
'bar'
what happens if I do
with(iframe.contentWindow){
foo = 'rewritten';
bar();
}
..is not a problem. All browsers throw, as they should.
But what should happen here?
var variableInParent=1;
with(iframe.contentWindow){
variableInParent++;
}
In this case, some browsers throw and some browsers permit referencing the
variable in the global scope.
Also, defining new variables in the with block that previously exist
neither in the global scope nor in the IFRAME's shows inconsistency across
browsers:
with(iframe.contentWindow){
previouslyUndefinedVariable='test';
}
Those browsers that throw for the second sample above also throw for this.
(This does seem a bit concerning because in those browsers this can be
used to spy on what *names* another site has defined in its JS. Just
include target site in an IFRAME, try to define the variables you're
looking for in an IFRAME - if it throws, you know the IFRAME does indeed
define that variable..)
Is there any spec I can read to figure out what the right behaviour is?
--
Hallvord R. M. Steen
Core tester, Opera Software
Received on Friday, 7 June 2013 11:27:16 UTC