- From: Adam Barth <whatwg@adambarth.com>
- Date: Fri, 13 Jun 2008 23:48:46 -0700
The current description of document.open(), at <http://www.whatwg.org/specs/web-apps/current-work/#open> doesn't mention the method's effect on the document's security context. The document.open() method replaces the document's security context with the security context of the currently executing script. In particular, the following properties are replaced: 1) document.URL becomes the URL of the document of the currently executing script. 2) document.baseURI becomes the URL of the document of the currently executing script (not it's baseURI). 3) The document's origin and effective script origin become the origin and the effective script origin of the currently executing script. (Note: actually, the origins are aliased, as in the about:blank case, so that changes to one of the document's document.domain property affects the other.) 4) The document's cookie context becomes the cookie context of the document of the currently executing script. There may be other things that get clobbered as well, but those were the ones I found. This is available in code form, along with numerous tests, at <http://trac.webkit.org/changeset/34506>. Adam
Received on Friday, 13 June 2008 23:48:46 UTC