23218 2013-09-11 20:26:33 +0000 <iframe name=foo> should be able to access parent.window.foo, even cross-origin, according to Gecko and Safari. 2013-10-01 20:53:58 +0000 1 1 1 Unclassified WHATWG HTML unspecified Other other RESOLVED DUPLICATE 21674 http://www.whatwg.org/specs/web-apps/current-work/#security-2 P3 normal Unsorted 1 contributor ian bobbyholley bzbarsky ian mike w3c contributor oldest_to_newest 93267 0 contributor 2013-09-11 20:26:33 +0000 Specification: http://www.whatwg.org/specs/web-apps/current-work/ Multipage: http://www.whatwg.org/C#security-2 Complete: http://www.whatwg.org/c#security-2 Referrer: Comment: <iframe name=foo> should be able to access parent.window.foo, even cross-origin, according to Gecko and Safari. Posted from: 216.239.45.72 by ian@hixie.ch User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1612.2 Safari/537.36 93268 1 ian 2013-09-11 20:26:59 +0000 TESTCASE http://www.hixie.ch/tests/adhoc/dom/level0/window/security/001.html Chrome fails this. (cc abarth) 93275 2 ian 2013-09-11 21:32:09 +0000 Er, ignore that test. I changed it afterwards. It's testing something else. 93405 3 bzbarsky 2013-09-16 03:17:02 +0000 I've been trying to see if we can drop this in Gecko: disallow all cross-origin access to named _or_ indexed stuff on windows.... Web compatible? 93436 4 ian 2013-09-16 17:50:19 +0000 I would definitely be in favour of dropping this if you can, but I would be surprised if it was Web compatible. 93451 5 bobbyholley 2013-09-16 19:34:39 +0000 (In reply to Ian 'Hixie' Hickson from comment #4) > I would definitely be in favour of dropping this if you can, but I would be > surprised if it was Web compatible. I'm going to give it a try. I've filed [1] and [2]. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=916939 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=916945 93500 6 ian 2013-09-17 20:00:33 +0000 Cool, I'll wait to see what happens before fixing the spec then. Hopefully that'll make you happy bz, since you've complained about the opposite in the past. :-) 93501 7 bzbarsky 2013-09-17 20:02:05 +0000 I can clearly never be happy. MWAHAHA! ;) 93604 8 bobbyholley 2013-09-20 17:38:49 +0000 (In reply to Bobby Holley (:bholley) from comment #5) > (In reply to Ian 'Hixie' Hickson from comment #4) > > I would definitely be in favour of dropping this if you can, but I would be > > surprised if it was Web compatible. > > I'm going to give it a try. I've filed [1] and [2]. > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=916939 This one (dropping support for named access on cross-origin windows) broke Google Hangouts, so I backed it out. I think it's pretty doomed. > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=916945 This one involves subframes polluting the scope of their parent. I came up with a trick here that I think will make it web-compatible. We'll see soon enough. 94116 9 ian 2013-10-01 20:53:58 +0000 This is really bug 21674, right? I'm marking this as a dupe, reopen it if I missed something. > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=916945 > > This one involves subframes polluting the scope of their parent. I came up > with a trick here that I think will make it web-compatible. We'll see soon > enough. If you manage that, please file a new bug to cover it. *** This bug has been marked as a duplicate of bug 21674 ***