W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2013

Re: [whatwg] Proposal: location.parentOrigin

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 16 Jul 2013 17:53:36 +0000 (UTC)
To: Tobie Langel <tobie.langel@gmail.com>
Message-ID: <alpine.DEB.2.00.1307161751130.31051@ps20323.dreamhostps.com>
Cc: whatwg <whatwg@lists.whatwg.org>, Michal Zalewski <lcamtuf@coredump.cx>, Adam Barth <w3c@adambarth.com>, Malte Ubl <malte.ubl@gmail.com>, Jonas Sicking <jonas@sicking.cc>
On Tue, 20 Nov 2012, Tobie Langel wrote:
> On Tue, Nov 20, 2012 at 6:47 AM, Ian Hickson <ian@hixie.ch> wrote:
> > On Mon, 26 Mar 2012, Adam Barth wrote:
> >>
> >> For nested browsing contexts, expose the origin of the parent 
> >> browsing context via location.parentOrigin.  (For non-nested browsing 
> >> context, the property would null.)
> >
> > This ended up implemented in WebKit as Location.ancestorOrigins(), a 
> > method that returns a static DOMStringList with the origins of the 
> > ancestor browsing contexts in reverse order (top-level browsing 
> > context last, parent browsing context first). It doesn't respect 
> > sandboxing.
> 
> This API is painful to use and doesn't contain any info for 
> window.opener or sibling browsing contexts (see WebKit bug[1] and 
> related discussion on G+[2]) which makes it useless for some of the use 
> cases.
> 
> A better API would allow to get the origin of a referenced browsing 
> context, e.g.:
> 
>     window.getOrigin(otherWindow);
> 
> and to check whether it came from the same origin (sugar around 
> window.getOrigin(otherWindow) == window.getOrigin(window)):
> 
>     window.isSameOrigin(otherWindow);
> 
> That said, one of the key use cases for this API is to code around a 
> Webkit bug[3] so maybe that should be fixed first.
>
> [1]: https://bugs.webkit.org/show_bug.cgi?id=83493
> [2]: https://plus.google.com/116910304844117268718/posts/QyHfGL9GBd5
> [3]: https://bugs.webkit.org/show_bug.cgi?id=43504

Would just exposing window.location.origin solve this?

Is there a privacy concern with doing that? It seems like it would be 
equivalent to the window.getOrigin(otherWindow) case above. parentOrigin 
doesn't have this problem because it's assumed that it's ok to access the 
origins of your ancestors, since you can't e.g. make one of your ancestors 
load a redirector URL and then read out its origin (since making your 
ancestor navigate will kill you).

Can't you do window.isSameOrigin by just trying to access 
window.location.href and seeing if you get an exception?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 16 July 2013 17:54:00 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:03 UTC