Bug 106488

Summary: Should `window.location.origin` return 'null' in a sandbox?
Product: WebKit Reporter: Mike West <mkwst>
Component: WebCore Misc.Assignee: Mike West <mkwst>
Status: RESOLVED INVALID    
Severity: Normal CC: abarth, syoichi
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Mike West 2013-01-09 13:50:18 PST
'<iframe sandbox="allow-scripts" src="frame.html"></iframe>' with a framed document containing '<script>alert(window.location.origin);</script>' alerts the actual origin of the document, which wasn't what I expected. I'm not sure what's intended, but I expected that treating the framed document as existing in a unique origin would have some effect on the string output as it's location's origin.

WDYT, Adam?
Comment 1 Adam Barth 2013-01-09 14:10:45 PST
It just returns the origin of the document's location, not the origin of the document itself.  I agree that's surprising for sandboxed documents.
Comment 2 Mike West 2013-01-09 14:20:29 PST
(In reply to comment #1)
> It just returns the origin of the document's location, not the origin of the document itself.  I agree that's surprising for sandboxed documents.

Is it surprising enough that we should clearly change it, or should I just drop a note to the WHATWG?
Comment 3 Adam Barth 2013-01-09 15:05:33 PST
I'd ask annevk on whatwg@, but I agree that we should probably change it.  :)
Comment 4 Mike West 2013-02-08 04:53:46 PST
Asked on whatwg@, Anne was unsurprised. FF's implementation matches ours, let's just leave it.