- From: Ulan Degenbaev <notifications@github.com>
- Date: Wed, 26 Jun 2019 11:49:24 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 26 June 2019 18:49:47 UTC
@annevk "can access" should be interpreted according to the spec and independent from a particular implementation. Are you referring to the case when two iframes start with the same domain `foo.bar.com` and then one iframe changes its domain to `bar.com` while the other one stays with `foo.bar.com`? If the API is invoked after the domain change, then the two iframes are considered as different origin. In that case the implementation either throws a security error or guarantees that the objects accounted in the result can be accessed by the calling iframe according to the security checks defined in the spec. There is a corner case when the domain of an iframe is changed after API invocation but before the result promise is resolved. Requiring the implementation to throw a security error in this case might be a safe bet here. I am not sure. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/386#issuecomment-506000180
Received on Wednesday, 26 June 2019 18:49:47 UTC