On Thu, 10 Jan 2013, Mike West wrote:
In WebKit, loading 'iframe sandbox=allow-scripts
src=frame.html/iframe' with a framed document containing
'scriptalert(window.location.origin);/script' alerts the actual
origin of the document, which wasn't what I expected. I'm not sure
what's
On Thu, Jan 10, 2013 at 12:17 AM, Mike West mk...@google.com wrote:
Adam explained that WebKit currently treats the 'origin' attribute as
the origin of the document's location, not the origin of the
document[1]. This is generally benign, but surprised me in the
sandboxed case.
What should
Hello!
In WebKit, loading 'iframe sandbox=allow-scripts
src=frame.html/iframe' with a framed document containing
'scriptalert(window.location.origin);/script' alerts the actual
origin of the document, which wasn't what I expected. I'm not sure
what's intended, but I expected that treating the