On Fri, Jun 15, 2012 at 3:46 PM, Ian Melven <[email protected]> wrote: > in https://bugzilla.mozilla.org/show_bug.cgi?id=341604#c180, David-Sarah > Hopwood > makes a few points about cookies in sandboxed documents : > > "Ugh, that's mandating an information leak about whether the document has > cookies. Maybe a minor leak, > but I don't understand why it should exist: if allow-same-origin is not set, > then the clear intent is > that no information about cookies should be available." > > "Oh, and another reason not to do it that way is that it's a testing hazard > for web developers. They test when there are no cookies, it works, then the > parent document adds cookies (which has no reason to make any difference), > and it breaks because the code in the sandboxed document didn't expect the > exception." > > The spec (http://dev.w3.org/html5/spec/dom.html#sandboxCookies) says : "On > getting, if the document is a cookie-free Document object, then the user > agent must return the empty string. Otherwise, if the Document's origin is > not a scheme/host/port tuple, the user agent must throw a SecurityError > exception." > > IE 10, Chrome and the patches I am working on for Firefox all throw a > SecurityError > even if no cookies are set - i agree that this seems like the correct > behaviour.
Yeah, that's much easier to implement and more consistent. Adam
