W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2008

[whatwg] MessageEvent.domain, document.domain on a page whose URI has no domain (e.g. data:text/html, ...)

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 24 Jan 2008 10:59:23 -0800
Message-ID: <4798E00B.60206@sicking.cc>
Jeff Walden wrote:
> The spec as currently written says that document.domain in a document 
> located at a URI with no domain is null:
> 
> data:text/html,<script>alert(document.domain);</script>
> 
> Safari and Opera both alert the empty string for this; Firefox alerts null.
> 
> There's also a domain property on MessageEvent, used with the 
> cross-document postMessage API.  The exact value of this property isn't 
> quite clear in the current spec (which says the document has no domain 
> but doesn't say what that translates into on the MessageEvent 
> interface), but Opera and Safari both agree that the domain property 
> should be the empty string when the page that calls postMessage is a 
> data: URL.
> 
> It seems that, for consistency, document.domain and MessageEvent.domain 
> should both be the empty string in this case, for greatest cross-browser 
> compatibility with the least change to the status quo, with the only 
> change needing to happen in Firefox.

Note that this is a much bigger issue than simply what to return for
document.domain. It's basically the question, what security context
should data: documents and written-into documents use.

/ Jonas
Received on Thursday, 24 January 2008 10:59:23 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:00 UTC