'<iframe sandbox="allow-scripts" src="frame.html"></iframe>' with a framed document containing '<script>alert(window.location.origin);</script>' alerts the actual origin of the document, which wasn't what I expected. I'm not sure what's intended, but I expected that treating the framed document as existing in a unique origin would have some effect on the string output as it's location's origin. WDYT, Adam?
It just returns the origin of the document's location, not the origin of the document itself. I agree that's surprising for sandboxed documents.
(In reply to comment #1) > It just returns the origin of the document's location, not the origin of the document itself. I agree that's surprising for sandboxed documents. Is it surprising enough that we should clearly change it, or should I just drop a note to the WHATWG?
I'd ask annevk on whatwg@, but I agree that we should probably change it. :)
Asked on whatwg@, Anne was unsurprised. FF's implementation matches ours, let's just leave it.