- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 29 Apr 2008 01:44:19 +0000 (UTC)
On Wed, 23 Jan 2008, Jeff Walden wrote: > > The current verbiage describing open() says nothing about the document's > origin reflecting that of the mutator, which is an oversight which > should eventually be corrected. This came up when considering the > values of the domain/uri properties on a MessageEvent created by a > document.open()ed document which calls postMessage. Just making sure > this gets in the queue to be addressed... Since you can only call document.open() if you are same-origin or if both you and the victim have set document.domain to the same value, it seems that this is a non-issue. As it stands, the origin of the manufactured document will match the URI of that document as given by window.location, etc, instead of the origin of the document that created it, but that seems to be the most consistent behaviour and thus desireable. (It can't be too far from the other origin anyway, since document.domain must have been used to get from one to the other.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 28 April 2008 18:44:19 UTC