Bug 106488 - Should `window.location.origin` return 'null' in a sandbox?
: Should `window.location.origin` return 'null' in a sandbox?
Status: RESOLVED INVALID
Product: WebKit
Classification: Unclassified
Component: WebCore Misc.
: 528+ (Nightly build)
: Unspecified Unspecified
: P2 Normal
Assigned To: Mike West
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-09 13:50 PST by Mike West
Modified: 2013-02-08 04:53 PST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2013-01-09 13:50:18 PST
'<iframe sandbox="allow-scripts" src="frame.html"></iframe>' with a framed document containing '<script>alert(window.location.origin);</script>' alerts the actual origin of the document, which wasn't what I expected. I'm not sure what's intended, but I expected that treating the framed document as existing in a unique origin would have some effect on the string output as it's location's origin.

WDYT, Adam?
Comment 1 Adam Barth 2013-01-09 14:10:45 PST
It just returns the origin of the document's location, not the origin of the document itself.  I agree that's surprising for sandboxed documents.
Comment 2 Mike West 2013-01-09 14:20:29 PST
(In reply to comment #1)
> It just returns the origin of the document's location, not the origin of the document itself.  I agree that's surprising for sandboxed documents.

Is it surprising enough that we should clearly change it, or should I just drop a note to the WHATWG?
Comment 3 Adam Barth 2013-01-09 15:05:33 PST
I'd ask annevk on whatwg@, but I agree that we should probably change it.  :)
Comment 4 Mike West 2013-02-08 04:53:46 PST
Asked on whatwg@, Anne was unsurprised. FF's implementation matches ours, let's just leave it.