On Wed, Jan 9, 2013 at 2:18 PM, Boris Zbarsky <[email protected]> wrote: > On 1/9/13 4:33 PM, Adam Barth wrote: >> For what it's worth, that doesn't appear to be necessary for web >> compatibility. Any time WebKit would return a Document to a script in >> another origin, WebKit returns null instead. > > The HTML spec requires that property access on documents use effective > script origin for checks. > > Effective script origins are mutable. > > It is in fact possible to get your hands on a document in a different > effective script origin in WebKit (thanks, document.domain).
Those checks are neither required for compatibility nor security. The spec might say to perform the checks, but they aren't needed to build a secure, compatible browser. Adam
