RESOLVED INVALID 106488
Should `window.location.origin` return 'null' in a sandbox? 
https://bugs.webkit.org/show_bug.cgi?id=106488
Summary Should `window.location.origin` return 'null' in a sandbox?
Mike West
Reported 2013-01-09 13:50:18 PST
'<iframe sandbox="allow-scripts" src="frame.html"></iframe>' with a framed document containing '<script>alert(window.location.origin);</script>' alerts the actual origin of the document, which wasn't what I expected. I'm not sure what's intended, but I expected that treating the framed document as existing in a unique origin would have some effect on the string output as it's location's origin. WDYT, Adam?
Attachments
Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2013-01-09 14:10:45 PST
It just returns the origin of the document's location, not the origin of the document itself. I agree that's surprising for sandboxed documents.
Mike West
Comment 2 2013-01-09 14:20:29 PST
(In reply to comment #1) > It just returns the origin of the document's location, not the origin of the document itself. I agree that's surprising for sandboxed documents. Is it surprising enough that we should clearly change it, or should I just drop a note to the WHATWG?
Adam Barth
Comment 3 2013-01-09 15:05:33 PST
I'd ask annevk on whatwg@, but I agree that we should probably change it. :)
Mike West
Comment 4 2013-02-08 04:53:46 PST
Asked on whatwg@, Anne was unsurprised. FF's implementation matches ours, let's just leave it.
Note You need to log in before you can comment on or make changes to this bug.