- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 9 Jan 2013 14:19:55 -0800
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: whatwg <whatwg@lists.whatwg.org>, Ian Hickson <ian@hixie.ch>
On Wed, Jan 9, 2013 at 2:18 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 1/9/13 4:33 PM, Adam Barth wrote: >> For what it's worth, that doesn't appear to be necessary for web >> compatibility. Any time WebKit would return a Document to a script in >> another origin, WebKit returns null instead. > > The HTML spec requires that property access on documents use effective > script origin for checks. > > Effective script origins are mutable. > > It is in fact possible to get your hands on a document in a different > effective script origin in WebKit (thanks, document.domain). Those checks are neither required for compatibility nor security. The spec might say to perform the checks, but they aren't needed to build a secure, compatible browser. Adam
Received on Wednesday, 9 January 2013 22:20:52 UTC