- From: Mike West <mkwst@google.com>
- Date: Thu, 10 Jan 2013 00:17:07 +0100
- To: whatwg@whatwg.org
- Cc: Adam Barth <w3c@adambarth.com>
Hello! In WebKit, loading '<iframe sandbox="allow-scripts" src="frame.html"></iframe>' with a framed document containing '<script>alert(window.location.origin);</script>' alerts the actual origin of the document, which wasn't what I expected. I'm not sure what's intended, but I expected that treating the framed document as existing in a unique origin would have some effect on the string output as it's location's origin. Adam explained that WebKit currently treats the 'origin' attribute as the origin of the document's location, not the origin of the document[1]. This is generally benign, but surprised me in the sandboxed case. What should the expected behavior in this case be? Given the way that MessageEvent sets the origin of a message from a sandboxed frame to the string "null", that seems like a reasonable option here as well. WDYT? [1]: https://bugs.webkit.org/show_bug.cgi?id=106488#c1 -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Wednesday, 9 January 2013 23:17:59 UTC