- From: Adam Barth <hk9565@gmail.com>
- Date: Thu, 24 Jan 2008 11:24:20 -0800
On Jan 24, 2008 10:59 AM, Jonas Sicking <jonas at sicking.cc> wrote: > Note that this is a much bigger issue than simply what to return for > document.domain. It's basically the question, what security context > should data: documents and written-into documents use. The security origin of frames that begin life with the URL "about:blank" or "" differs in different browsers. In Firefox and the trunk revision of WebKit, the principal for the frame is aliased to the principal of the frame's parent (or opener, if it is a top-level frame). In IE7, the frame appears to copy the principal. http://crypto.stanford.edu/~abarth/research/html5/empty-frame/ The frame's window.location.href property matches the parent/opener in Firefox, IE, and Safari: http://crypto.stanford.edu/~abarth/research/html5/empty-frame/href.html Adam
Received on Thursday, 24 January 2008 11:24:20 UTC