- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 10 Jul 2012 01:07:15 +0000 (UTC)
- To: Ian Melven <imelven@mozilla.com>, Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@annevk.nl>
- Cc: whatwg@lists.whatwg.org, david-sarah@jacaranda.org
On Fri, 15 Jun 2012, Ian Melven wrote: > > in https://bugzilla.mozilla.org/show_bug.cgi?id=341604#c180, David-Sarah > Hopwood makes a few points about cookies in sandboxed documents : > > "Ugh, that's mandating an information leak about whether the document > has cookies. Maybe a minor leak, but I don't understand why it should > exist: if allow-same-origin is not set, then the clear intent is that no > information about cookies should be available." > > "Oh, and another reason not to do it that way is that it's a testing > hazard for web developers. They test when there are no cookies, it > works, then the parent document adds cookies (which has no reason to > make any difference), and it breaks because the code in the sandboxed > document didn't expect the exception." > > The spec (http://dev.w3.org/html5/spec/dom.html#sandboxCookies) says : > "On getting, if the document is a cookie-free Document object, then the > user agent must return the empty string. Otherwise, if the Document's > origin is not a scheme/host/port tuple, the user agent must throw a > SecurityError exception." > > IE 10, Chrome and the patches I am working on for Firefox all throw a > SecurityError even if no cookies are set - i agree that this seems like > the correct behaviour. I believe you have a mistaken understanding of what "cookie-free Document" meant. I've renamed the term to avoid the confusing interpretation. It's now called a "cookie-averse Document". Please let me know if you still think the logic described in the specification is incorrect. Thanks, -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 10 July 2012 01:07:45 UTC