[whatwg] Origin feedback from Ian Hickson on 2008-04-29 (public-whatwg-archive@w3.org from April 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 29 Apr 2008 03:08:06 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0804290149370.21650@hixie.dreamhostps.com>

On Wed, 23 Jan 2008, Jeff Walden wrote:
>
> The spec as currently written says that document.domain in a document 
> located at a URI with no domain is null:
> 
> data:text/html,<script>alert(document.domain);</script>
> 
> Safari and Opera both alert the empty string for this; Firefox alerts 
> null.

I've changed it to empty string.


> There's also a domain property on MessageEvent, used with the 
> cross-document postMessage API.  The exact value of this property isn't 
> quite clear in the current spec (which says the document has no domain 
> but doesn't say what that translates into on the MessageEvent 
> interface), but Opera and Safari both agree that the domain property 
> should be the empty string when the page that calls postMessage is a 
> data: URL.

This is now specified in detail.


On Thu, 24 Jan 2008, Jonas Sicking wrote:
> 
> Note that this is a much bigger issue than simply what to return for 
> document.domain. It's basically the question, what security context 
> should data: documents and written-into documents use.

This is now defined, I believe, though there may be issues. Let me know if 
the current definitions break with any sites.


On Thu, 24 Jan 2008, Adam Barth wrote:
> 
> The security origin of frames that begin life with the URL "about:blank" 
> or "" differs in different browsers.  In Firefox and the trunk revision 
> of WebKit, the principal for the frame is aliased to the principal of 
> the frame's parent (or opener, if it is a top-level frame).  In IE7, the 
> frame appears to copy the principal.
> 
> http://crypto.stanford.edu/~abarth/research/html5/empty-frame/
> 
> The frame's window.location.href property matches the parent/opener in 
> Firefox, IE, and Safari:
> 
> http://crypto.stanford.edu/~abarth/research/html5/empty-frame/href.html

The aliasing behaviour seems really dodgy. I've specced the copying 
behaviour, which also matches Opera.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 28 April 2008 20:08:06 UTC