[Webkit-unassigned] [Bug 189371] New: document.open() should throw errors for cross-origin calls
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 6 14:21:26 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=189371
Bug ID: 189371
Summary: document.open() should throw errors for cross-origin
calls
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: HTML DOM
Assignee: webkit-unassigned at lists.webkit.org
Reporter: timothygu99 at gmail.com
CC: cdumez at apple.com
https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#document-open-steps has:
> 3. Let entryDocument be the responsible document specified by the entry settings object.
>
> 4. If document's origin is not same origin to entryDocument's origin, then throw a "SecurityError" DOMException.
This also applies to implicit calls to document.open() by way of document.write().
Tests:
- https://github.com/web-platform-tests/wpt/blob/master/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-exception-vs-return-origin.sub.window.js
- https://github.com/web-platform-tests/wpt/blob/master/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/origin-check-in-document-open-same-origin-domain.sub.html
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180906/aceec0e9/attachment.html>
More information about the webkit-unassigned
mailing list