- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 16 Jan 2014 12:15:17 -0500
- To: www-dom@w3.org
On 1/16/14 12:07 PM, Boris Zbarsky wrote: > If you want me to spend time answering that question, I really do > suggest you do the above, because I simply don't have any more time to > spend on this discussion if we're doing to ignore parts of it and write > obfuscated code. But ok, let me see if I'm following this mess right: 1) The page is loaded from dl.dropboxusercontent.com. It sets document.domain to itself. 2) "start-navigation-frame" is loaded from foobar.dl.dropboxusercontent.com 3) The frame sets document.domain to "dl.dropboxusercontent.com". 4) The frame posts a message to itself and extracts the "origin" from the message event, whatever that is in this case. 5) The frame the sets the .src on a frame in the parent, to a string that will run a script that expects the origin to be that of the frame. Correct? If so, no, that's not a valid testcase. We talked about this up-thread already. Just to refresh your memory, please read http://lists.w3.org/Archives/Public/www-dom/2014JanMar/0025.html and note that setting iframe.src and setting iframe.contentWindow.location have different behavior: the former is treated as a navigation by the document containing the iframe (because in fact that's what does the navigation), while the latter is treated as a navigation by the script doing the location set. They differ not just in terms of origin but also base URI resolution, for example. -Boris
Received on Thursday, 16 January 2014 17:15:47 UTC