106488 – Should `window.location.origin` return 'null' in a sandbox?

Bug 106488 - Should `window.location.origin` return 'null' in a sandbox?

Summary: Should `window.location.origin` return 'null' in a sandbox?

Status:	RESOLVED INVALID

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mike West

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-01-09 13:50 PST by Mike West
Modified:	2013-02-08 04:53 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mike West 2013-01-09 13:50:18 PST

'<iframe sandbox="allow-scripts" src="frame.html"></iframe>' with a framed document containing '<script>alert(window.location.origin);</script>' alerts the actual origin of the document, which wasn't what I expected. I'm not sure what's intended, but I expected that treating the framed document as existing in a unique origin would have some effect on the string output as it's location's origin.

WDYT, Adam?

Comment 1 Adam Barth 2013-01-09 14:10:45 PST

It just returns the origin of the document's location, not the origin of the document itself.  I agree that's surprising for sandboxed documents.

Comment 2 Mike West 2013-01-09 14:20:29 PST

(In reply to comment #1)
> It just returns the origin of the document's location, not the origin of the document itself.  I agree that's surprising for sandboxed documents.

Is it surprising enough that we should clearly change it, or should I just drop a note to the WHATWG?

Comment 3 Adam Barth 2013-01-09 15:05:33 PST

I'd ask annevk on whatwg@, but I agree that we should probably change it.  :)

Comment 4 Mike West 2013-02-08 04:53:46 PST

Asked on whatwg@, Anne was unsurprised. FF's implementation matches ours, let's just leave it.