- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 08 Jan 2013 01:46:27 -0500
- To: whatwg@lists.whatwg.org
On 1/8/13 1:42 AM, Boris Zbarsky wrote: >On 1/7/13 11:28 PM, Ian Hickson wrote: >> The check is the same -- if the Document that is the "this" to >> which the property is being applied doesn't match the origin of the >> script >> that is doing the applying, throw SecurityError. Actually, that's not enough. You have to security-check arguments too. Otherwise this: document.createTreeWalker(crossFrameDoc, etc); would be bad. (Note that right now the DOM spec fails to handle this, which is about what I would expect out of people creating APIs, which is why I would really prefer we define this on a low level where people can't screw up by forgetting it.) -Boris
Received on Tuesday, 8 January 2013 06:46:57 UTC