[whatwg] Calling HTMLDocument.open() should change the origin of the document to the caller's origin

On Wed, 23 Jan 2008, Jeff Walden wrote:
> The current verbiage describing open() says nothing about the document's 
> origin reflecting that of the mutator, which is an oversight which 
> should eventually be corrected.  This came up when considering the 
> values of the domain/uri properties on a MessageEvent created by a 
> document.open()ed document which calls postMessage.  Just making sure 
> this gets in the queue to be addressed...

Since you can only call document.open() if you are same-origin or if both 
you and the victim have set document.domain to the same value, it seems 
that this is a non-issue. As it stands, the origin of the manufactured 
document will match the URI of that document as given by window.location, 
etc, instead of the origin of the document that created it, but that seems 
to be the most consistent behaviour and thus desireable. (It can't be too 
far from the other origin anyway, since document.domain must have been 
used to get from one to the other.)

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 28 April 2008 18:44:19 UTC