- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 10 Jan 2013 00:47:52 +0000 (UTC)
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: whatwg@lists.whatwg.org, Boris Zbarsky <bzbarsky@mit.edu>
On Wed, 9 Jan 2013, Anne van Kesteren wrote: > On Tue, Jan 8, 2013 at 7:46 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > > Actually, that's not enough. You have to security-check arguments > > too. Otherwise this: > > > > document.createTreeWalker(crossFrameDoc, etc); > > > > would be bad. (Note that right now the DOM spec fails to handle this, > > which is about what I would expect out of people creating APIs, which > > is why I would really prefer we define this on a low level where > > people can't screw up by forgetting it.) > > You didn't file a bug on this I think. I did think HTML handled this > already though which is why it is not addressed in the DOM > specification. If we can make Window.document and contentDocument on iframe, frame, and object return "null" when cross-origin, we can drop the security checks on Document and createTreeWalker(), as far as I can tell. That would maybe simplify matters a little. It's an orthogonal move relative to what bz has been advocating for in terms of what security model we should have, and it's more like what Chrome has. But do Opera and Microsoft want to go in that direction? I'm not over the moon about changing the security model without more buy-in. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 January 2013 00:48:17 UTC