On Thu, 24 Jan 2008, Adam Barth wrote:
The security origin of frames that begin life with the URL "about:blank"
or "" differs in different browsers. In Firefox and the trunk revision
of WebKit, the principal for the frame is aliased to the principal of
the frame's parent (or opener, if it is a top-level frame). In IE7, the
frame appears to copy the principal.
http://crypto.stanford.edu/~abarth/research/html5/empty-frame/
The frame's window.location.href property matches the parent/opener in
Firefox, IE, and Safari:
http://crypto.stanford.edu/~abarth/research/html5/empty-frame/href.html
The aliasing behaviour seems really dodgy. I've specced the copying
behaviour, which also matches Opera.
The reason you want to use aliasing is in a situation like this (file
loaded from www.example.com) :
<html>
<body>
<iframe id=f></iframe>
<script>
onload = function() {
document.domain = "example.com";
document.getElementById('f').contentDocument.write("hello world");
}
</script>
</body>
</html>
the document.domain call changes the outer documents principal. If there
was no aliasing then the .write call would result in a security
exception stating that content from "example.com" doesn't have access to
"www.example.com".
Similarly (file loaded from www.example.com) :
<html>
<body>
<script>
onload = function() {
xhr = new XMLHttpRequest();
xhr.open("GET", "http://www.example.com/data.xml";, false);
xhr.send(null);
doc = xhr.responseXML;
doc.documentElement;
document.domain = "example.com";
doc.documentElement;
}
</script>
</body>
</html>
Without the XHR document "aliasing" the principal of the main document,
the first doc.documentElement call will succeed, but the second with
throw a security error.
/ Jonas
