Bug 106488
| Summary: | Should `window.location.origin` return 'null' in a sandbox? | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mike West <mkwst> |
| Component: | WebCore Misc. | Assignee: | Mike West <mkwst> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | abarth, syoichi |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Mike West
'<iframe sandbox="allow-scripts" src="frame.html"></iframe>' with a framed document containing '<script>alert(window.location.origin);</script>' alerts the actual origin of the document, which wasn't what I expected. I'm not sure what's intended, but I expected that treating the framed document as existing in a unique origin would have some effect on the string output as it's location's origin.
WDYT, Adam?
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adam Barth
It just returns the origin of the document's location, not the origin of the document itself. I agree that's surprising for sandboxed documents.
Mike West
(In reply to comment #1)
> It just returns the origin of the document's location, not the origin of the document itself. I agree that's surprising for sandboxed documents.
Is it surprising enough that we should clearly change it, or should I just drop a note to the WHATWG?
Adam Barth
I'd ask annevk on whatwg@, but I agree that we should probably change it. :)
Mike West
Asked on whatwg@, Anne was unsurprised. FF's implementation matches ours, let's just leave it.