On 4/2/12 5:54 PM, Ian Hickson wrote:
My understanding is that security checks are only done for members of Document and Window objects.
That understanding certainly isn't correct as stated. For example, security checks are done on at least some members of Location objects (e.g. you can write location.href cross-origin, but not read it).
But even past that, I believe the understanding doesn't reflect behavior of at least some implementations. I can't speak to all of them; I haven't done extensive testing here.
That said, http://web.mit.edu/bzbarsky/www/testcases/effective-origin/test1.html has a testcase: Opera throws on the access after changing the origin to a different one. Gecko does not right now, but I believe we're strongly considering changing that behavior. Firefox versions up to Firefox 3 did throw in this situation, for what it's worth.
(In particular, I believe Opera was stricter, and that that caused compat issues. I don't see any security issues here.)
Interesting. Opera still seems to have the "stricter" behavior, in my testing...
-Boris
