- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 30 Apr 2008 21:59:25 +0000 (UTC)
On Wed, 30 Apr 2008, Jonas Sicking wrote: > > > > The aliasing behaviour seems really dodgy. I've specced the copying > > behaviour, which also matches Opera. > > The reason you want to use aliasing is in a situation like this (file > loaded from www.example.com) : > > <html> > <body> > <iframe id=f></iframe> > <script> > onload = function() { > document.domain = "example.com"; > document.getElementById('f').contentDocument.write("hello world"); > } > </script> > </body> > </html> > > the document.domain call changes the outer documents principal. If there > was no aliasing then the .write call would result in a security > exception stating that content from "example.com" doesn't have access to > "www.example.com". Yes, you want a security exception there. That's what IE does, in fact. (Opera too.) > Similarly (file loaded from www.example.com) : > > <html> > <body> > <script> > onload = function() { > xhr = new XMLHttpRequest(); > xhr.open("GET", "http://www.example.com/data.xml", false); > xhr.send(null); > doc = xhr.responseXML; > doc.documentElement; > document.domain = "example.com"; > doc.documentElement; > } > </script> > </body> > </html> > > Without the XHR document "aliasing" the principal of the main document, > the first doc.documentElement call will succeed, but the second with > throw a security error. Agreed. I've made XHR documents track the origin of the document of the window that the XHR object was from, and made document.domain throw when called on such documents. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 30 April 2008 14:59:25 UTC