- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 24 Jan 2008 10:59:23 -0800
Jeff Walden wrote: > The spec as currently written says that document.domain in a document > located at a URI with no domain is null: > > data:text/html,<script>alert(document.domain);</script> > > Safari and Opera both alert the empty string for this; Firefox alerts null. > > There's also a domain property on MessageEvent, used with the > cross-document postMessage API. The exact value of this property isn't > quite clear in the current spec (which says the document has no domain > but doesn't say what that translates into on the MessageEvent > interface), but Opera and Safari both agree that the domain property > should be the empty string when the page that calls postMessage is a > data: URL. > > It seems that, for consistency, document.domain and MessageEvent.domain > should both be the empty string in this case, for greatest cross-browser > compatibility with the least change to the status quo, with the only > change needing to happen in Firefox. Note that this is a much bigger issue than simply what to return for document.domain. It's basically the question, what security context should data: documents and written-into documents use. / Jonas
Received on Thursday, 24 January 2008 10:59:23 UTC