- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Fri, 14 Mar 2008 11:08:08 +0900
- To: "Jonas Sicking" <jonas@sicking.cc>, "Jeff Schiller" <codedread@gmail.com>
- Cc: "Anne van Kesteren" <annevk@opera.com>, "Boris Zbarsky" <bzbarsky@mit.edu>, "Web API WG (public)" <public-webapi@w3.org>, www-svg <www-svg@w3.org>
On Fri, 14 Mar 2008 05:24:45 +0900, Jonas Sicking <jonas@sicking.cc> wrote: >> I can understand not letting the embedded object get at the elements >> outside of the HTMLObjectElement, but this seems like a weird design >> flaw - the object parameters should be accessible to the embedded >> object, regardless of domain - that's their purpose. It would have >> been great if HTMLObjectElement had an accessible "params" NodeList >> readonly attribute :( I don't think that's a good idea because it opens up too many opportunities for violating cross-domain policies. For example, you'd have to introduce security checks on properties like window.frameElement.nodeList[0].parentElement.. > The proper fix here is IMHO to add something to the window object. So > that you don't have to reach out into documents that are from a > different domain. Agree. Would window.paramList be a good name? An object with name:value mappings would be useful, and one could iterate over it with for..in as usual. -- Hallvord R. M. Steen Core QA JavaScript tester, Opera Software http://www.opera.com/ Opera - simply the best Internet experience
Received on Friday, 14 March 2008 02:08:08 UTC