23219 2013-09-11 20:35:06 +0000 contentDocument on iframe, object, frame, etc, should do a security check (and then, if that's the last of the ways you can get to Document, we can remove the security checks on Document) 2013-11-12 21:53:12 +0000 1 1 1 Unclassified WHATWG HTML unspecified Other other RESOLVED FIXED http://www.whatwg.org/specs/web-apps/current-work/#the-object-element P3 normal Unsorted 1 contributor ian bobbyholley bzbarsky ian mike w3c contributor oldest_to_newest 93270 0 contributor 2013-09-11 20:35:06 +0000 Specification: http://www.whatwg.org/specs/web-apps/current-work/ Multipage: http://www.whatwg.org/C#the-object-element Complete: http://www.whatwg.org/c#the-object-element Referrer: Comment: contentDocument on iframe, object, frame, etc, should do a security check (and then, if that's the last of the ways you can get to Document, we can remove the security checks on Document) Posted from: 2620:0:1000:167c:5df3:e6f0:15bb:7617 by ian@hixie.ch User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1612.2 Safari/537.36 93448 1 bobbyholley 2013-09-16 19:12:48 +0000 Mozilla did this in [1] a little while back. Please let me know if we're at all divergent from the desired behavior here. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=829872 96161 2 ian 2013-11-12 03:31:07 +0000 So Safari and Firefox return null, Chrome throws a security exception. Throwing a security exception does seem more consistent with other places where we try to do this kind of thing. Firefox throws an exception for window.document, for instance. bholley, would you be willing to move Firefox to throwing an exception for cross-origin contentDocument instead of returning null? 96162 3 bzbarsky 2013-11-12 03:53:48 +0000 Throwing an exception during a basic for/in loop over some random object from your own web page seems like a bit of an antipattern to me... 96184 4 bobbyholley 2013-11-12 16:49:58 +0000 (In reply to Ian 'Hixie' Hickson from comment #2) > Throwing a security exception does seem more consistent with other places > where we try to do this kind of thing. Firefox throws an exception for > window.document, for instance. You mean getting |document| off a cross-origin |window| object? That seems very different from getting |contentDocument| off a same-origin iframe element. As boris noted, I think it would be a shame if enumerating random HTML Elements could cause a security exception. > bholley, would you be willing to move Firefox > to throwing an exception for cross-origin contentDocument instead of > returning null? Totally willing as an implementor if everyone decides that these are optimal semantics, but I'm not convinced that they are. 96207 5 ian 2013-11-12 21:49:53 +0000 Fair enough. I'll make it return null. 96208 6 contributor 2013-11-12 21:50:49 +0000 Checked in as WHATWG revision r8272. Check-in comment: Change iframe, frame, and object.contentDocument to return null when cross-origin documents are involved. http://html5.org/tools/web-apps-tracker?from=8271&to=8272 96210 7 contributor 2013-11-12 21:53:12 +0000 Checked in as WHATWG revision r8273. Check-in comment: Remove security checks on Document since there should now be no way to get to a Document from another origin. http://html5.org/tools/web-apps-tracker?from=8272&to=8273