On 6/17/13 7:38 AM, Anne van Kesteren wrote:
On Fri, Nov 30, 2012 at 11:47 AM, Boris Zbarsky <[email protected]> wrote:
Right. My point was that "cross-origin" for the case of stylesheet at least
in Gecko depends on the origin of the script that tries to modify them, not
on the origin of the document that linked to them...
Is there a good reason for this? This seems fairly distinct from how
<img>, <script>, and <video> work.
Just in terms of considering effective script origins instead of origins?
<img> and <video> compare the origin of the canvas to the origin of the
image/video, if you mean the security check I think you mean. It
explicitly doesn't use effective script origin because you can't set
that on <img>.
<script>, if you mean the onerror checks, in Gecko checks whether the
effective script origin of the window whose onerror is about to fire
matches the origin of the script. And we make the origin of the script
an alias of the effective script origin of the document it's loaded into
in cases when the script was either loaded no-cors or passed cors
security checks. What do other UAs do?
Again, the default security check in Gecko is always against effective
script origin, so any check that predates a recent spec is always that
way. Whether there's a good reason for it needs to be checked on a
case-by-case basis.
-Boris
