- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sat, 15 Dec 2012 17:33:01 -0800
- To: "public-script-coord@w3.org" <public-script-coord@w3.org>
- Cc: whatwg <whatwg@lists.whatwg.org>
An "easy" solution would be to just return null for .contentDocument in the case of cross-origin iframes. / Jonas On Sat, Dec 15, 2012 at 10:43 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > Ccing whatwg because that's where the whole "origin" thing is currently > defined. > > Consider this testcase: > > <iframe src="http://w3.org"></iframe><script> > window.onload = function () { > try { > var doc = document.querySelector("iframe").contentDocument; > var list = document.getElementsByTagName.call(doc, "*"); > alert(list.item(0).textContent); > } catch (e) { > alert(e); > } > }</script> > > This throws in Safari, Chrome, Firefox, and Opera, all on the > "getElementsByTagName.call" bit (except when loaded via file:// in Safari, > in which case it actually lets you read all data from random website in the > iframe). > > But I see nothing in the specs that requires this behavior, or indeed even > allows it. The security bits currently in the html spec talk about property > access on cross-origin Document and Window, but in this case there is no > property access happening on them per se... > > In any case, this needs to be defined somewhere. > > -Boris
Received on Sunday, 16 December 2012 01:34:00 UTC