Bug 106488 - Should `window.location.origin` return 'null' in a sandbox?
: Should `window.location.origin` return 'null' in a sandbox?
Status: RESOLVED INVALID
: WebKit
WebCore Misc.
: 528+ (Nightly build)
: Unspecified Unspecified
: P2 Normal
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2013-01-09 13:50 PST by
Modified: 2013-02-08 04:53 PST (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2013-01-09 13:50:18 PST
'<iframe sandbox="allow-scripts" src="frame.html"></iframe>' with a framed document containing '<script>alert(window.location.origin);</script>' alerts the actual origin of the document, which wasn't what I expected. I'm not sure what's intended, but I expected that treating the framed document as existing in a unique origin would have some effect on the string output as it's location's origin.

WDYT, Adam?
------- Comment #1 From 2013-01-09 14:10:45 PST -------
It just returns the origin of the document's location, not the origin of the document itself.  I agree that's surprising for sandboxed documents.
------- Comment #2 From 2013-01-09 14:20:29 PST -------
(In reply to comment #1)
> It just returns the origin of the document's location, not the origin of the document itself.  I agree that's surprising for sandboxed documents.

Is it surprising enough that we should clearly change it, or should I just drop a note to the WHATWG?
------- Comment #3 From 2013-01-09 15:05:33 PST -------
I'd ask annevk on whatwg@, but I agree that we should probably change it.  :)
------- Comment #4 From 2013-02-08 04:53:46 PST -------
Asked on whatwg@, Anne was unsurprised. FF's implementation matches ours, let's just leave it.