- From: Ian Melven <imelven@mozilla.com>
- Date: Fri, 15 Jun 2012 15:46:08 -0700 (PDT)
- To: whatwg@lists.whatwg.org
- Cc: david-sarah@jacaranda.org
Hi, in https://bugzilla.mozilla.org/show_bug.cgi?id=341604#c180, David-Sarah Hopwood makes a few points about cookies in sandboxed documents : "Ugh, that's mandating an information leak about whether the document has cookies. Maybe a minor leak, but I don't understand why it should exist: if allow-same-origin is not set, then the clear intent is that no information about cookies should be available." "Oh, and another reason not to do it that way is that it's a testing hazard for web developers. They test when there are no cookies, it works, then the parent document adds cookies (which has no reason to make any difference), and it breaks because the code in the sandboxed document didn't expect the exception." The spec (http://dev.w3.org/html5/spec/dom.html#sandboxCookies) says : "On getting, if the document is a cookie-free Document object, then the user agent must return the empty string. Otherwise, if the Document's origin is not a scheme/host/port tuple, the user agent must throw a SecurityError exception." IE 10, Chrome and the patches I am working on for Firefox all throw a SecurityError even if no cookies are set - i agree that this seems like the correct behaviour. thanks, ian
Received on Friday, 15 June 2012 22:46:37 UTC