In addition to the domains, ports & protocols are compared whenever there is a cross-frame scripting. Earlier it was comparing only the domain names of both the frames. The current logic makes the situation complicated when domain names are explicitly set through java script methods to allow accessing the child frame that may come from a different port.
Sam just fixed this bug. Setting domain explicitly in both documents enables access between them.
(In reply to comment #1) > Sam just fixed this bug. Setting domain explicitly in both documents enables > access between them. > Garen, has Sam also included the fix for Bug Id 14820(http://bugs.webkit.org/show_bug.cgi?id=14820) ? Bug Id 14820 requires a small change in the Console message, to show the domain names along with the URLs, if there is a domain mismatch. Thanks, -Bhagya.
(In reply to comment #1) > Sam just fixed this bug. Setting domain explicitly in both documents enables > access between them. > A typical scenario for an SAP install is to have one Portal host (lal.corp.apple.com:50000 for example) which loads content from many other hosts into various iframes using different ports (lore.corp.apple.com:8000 and mire.apple.com:51000, for example). This achieved via domian-relaxing javascript in each of the frames, per IE domain-relaxing rules. Now that ports are being checked, won't the new port checking deny cross-frame scripting requests? If so, that is a big problem for SAP installs and a restriction that IE and Firefox don't currently have. Protocol I think should be compared, but not the ports, for reason stated above. Please advise.
The new policy is to not check the port or protocol if document.domain has been explicitly set to the same legal value in both documents. This policy matches other browsers and should not create an issue for SAP anymore.
(In reply to comment #4) > The new policy is to not check the port or protocol if document.domain has been > explicitly set to the same legal value in both documents. This policy matches > other browsers and should not create an issue for SAP anymore. > Perfect, that's what we need for SAP.