Skip to content
Permalink
Browse files

[] (3) Remove security checks on Document since there should now be n…

…o way to get to a Document from another origin.

Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=23219
Affected topics: DOM APIs, HTML Syntax and Parsing, Security

git-svn-id: http://svn.whatwg.org/webapps@8273 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed Nov 12, 2013
1 parent 3bc328b commit 3f221df626cea31d056fbada9c576cb09dacd7c5
Showing with 19 additions and 75 deletions.
  1. +9 −28 complete.html
  2. +9 −28 index
  3. +1 −19 source
<li><a href=#documents><span class=secno>3.1 </span>Documents</a>
<ol>
<li><a href=#the-document-object><span class=secno>3.1.1 </span>The <code>Document</code> object</a></li>
<li><a href=#security-document><span class=secno>3.1.2 </span>Security</a></li>
<li><a href=#resource-metadata-management><span class=secno>3.1.3 </span>Resource metadata management</a></li>
<li><a href=#dom-tree-accessors><span class=secno>3.1.4 </span>DOM tree accessors</a></li>
<li><a href=#loading-xml-documents><span class=secno>3.1.5 </span>Loading XML documents</a></ol></li>
<li><a href=#resource-metadata-management><span class=secno>3.1.2 </span>Resource metadata management</a></li>
<li><a href=#dom-tree-accessors><span class=secno>3.1.3 </span>DOM tree accessors</a></li>
<li><a href=#loading-xml-documents><span class=secno>3.1.4 </span>Loading XML documents</a></ol></li>
<li><a href=#elements><span class=secno>3.2 </span>Elements</a>
<ol>
<li><a href=#semantics-0><span class=secno>3.2.1 </span>Semantics</a></li>
<a href=#document>Document</a> implements <a href=#globaleventhandlers>GlobalEventHandlers</a>;</pre>


<!--ADD-TOPIC:Security-->
<h4 id=security-document><span class=secno>3.1.2 </span>Security</h4>

<!--CLEANUP-->
<p id=security>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
properties of a <code><a href=#document>Document</a></code> object are accessed when the <a href=#incumbent-settings-object>incumbent settings object</a>
specifies an <a href=#effective-script-origin>effective script origin</a> that is not the <a href=#same-origin title="same origin">same</a>
as the <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>.</p>

<!--CLEANUP-->
<p>When the <a href=#incumbent-settings-object>incumbent settings object</a> specifies an <a href=#effective-script-origin>effective script origin</a> that is different than
a <code><a href=#document>Document</a></code> object's <a href=#effective-script-origin>effective script origin</a>, the user agent must act as
if <!--(redundant since you can't access any anyway) any changes to that <code>Document</code>
object's properties, getters, setters, etc, were not present, and as if--> all the properties of
that <code><a href=#document>Document</a></code> object had their [[Enumerable]] attribute set to false.</p>
<!--REMOVE-TOPIC:Security-->



<h4 id=resource-metadata-management><span class=secno>3.1.3 </span><dfn>Resource metadata management</dfn></h4>
<h4 id=resource-metadata-management><span class=secno>3.1.2 </span><dfn>Resource metadata management</dfn></h4>

<dl class=domintro><dt><var title="">document</var> . <code title=dom-document-referrer><a href=#dom-document-referrer>referrer</a></code></dt>
<dd>



<h4 id=dom-tree-accessors><span class=secno>3.1.4 </span><dfn>DOM tree accessors</dfn></h4>
<h4 id=dom-tree-accessors><span class=secno>3.1.3 </span><dfn>DOM tree accessors</dfn></h4>

<p><dfn id=the-html-element-0>The <code>html</code> element</dfn> of a document is the
document's root element, if there is one and it's an

<div class=impl> <!-- very deprecated API; use XHR instead -->

<h4 id=loading-xml-documents><span class=secno>3.1.5 </span>Loading XML documents</h4>
<h4 id=loading-xml-documents><span class=secno>3.1.4 </span>Loading XML documents</h4>

<pre class=idl>partial interface <dfn id=xmldocument>XMLDocument</dfn> {
<!--SYNCLOAD attribute boolean <span title="dom-XMLDocument-async">async</span>;
this also fires an event synchronously during the task -->.</li>

<li><p>If the <code><a href=#document>Document</a></code> is in a <a href=#browsing-context>browsing context</a>, create a <a href=#concept-events-trusted title=concept-events-trusted>trusted</a> event named <code title=event-load>load</code> that does not bubble and is not cancelable and which uses the
<code><a href=#event>Event</a></code> interface, and <a href=#concept-event-dispatch title=concept-event-dispatch>dispatch it at
the <code>Document</code>'s <code>Window</code> object, with <i>target override</i> set to the
<code>Document</code> object.</a></li>
<code><a href=#event>Event</a></code> interface, and <a href=#concept-event-dispatch title=concept-event-dispatch>dispatch</a> it at
the <code><a href=#document>Document</a></code>'s <code><a href=#window>Window</a></code> object, with <i>target override</i> set to the
<code><a href=#document>Document</a></code> object.</li>

</ol></li>

37 index
<li><a href=#documents><span class=secno>3.1 </span>Documents</a>
<ol>
<li><a href=#the-document-object><span class=secno>3.1.1 </span>The <code>Document</code> object</a></li>
<li><a href=#security-document><span class=secno>3.1.2 </span>Security</a></li>
<li><a href=#resource-metadata-management><span class=secno>3.1.3 </span>Resource metadata management</a></li>
<li><a href=#dom-tree-accessors><span class=secno>3.1.4 </span>DOM tree accessors</a></li>
<li><a href=#loading-xml-documents><span class=secno>3.1.5 </span>Loading XML documents</a></ol></li>
<li><a href=#resource-metadata-management><span class=secno>3.1.2 </span>Resource metadata management</a></li>
<li><a href=#dom-tree-accessors><span class=secno>3.1.3 </span>DOM tree accessors</a></li>
<li><a href=#loading-xml-documents><span class=secno>3.1.4 </span>Loading XML documents</a></ol></li>
<li><a href=#elements><span class=secno>3.2 </span>Elements</a>
<ol>
<li><a href=#semantics-0><span class=secno>3.2.1 </span>Semantics</a></li>
<a href=#document>Document</a> implements <a href=#globaleventhandlers>GlobalEventHandlers</a>;</pre>


<!--ADD-TOPIC:Security-->
<h4 id=security-document><span class=secno>3.1.2 </span>Security</h4>

<!--CLEANUP-->
<p id=security>User agents must throw a <code><a href=#securityerror>SecurityError</a></code> exception whenever any
properties of a <code><a href=#document>Document</a></code> object are accessed when the <a href=#incumbent-settings-object>incumbent settings object</a>
specifies an <a href=#effective-script-origin>effective script origin</a> that is not the <a href=#same-origin title="same origin">same</a>
as the <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective script origin</a>.</p>

<!--CLEANUP-->
<p>When the <a href=#incumbent-settings-object>incumbent settings object</a> specifies an <a href=#effective-script-origin>effective script origin</a> that is different than
a <code><a href=#document>Document</a></code> object's <a href=#effective-script-origin>effective script origin</a>, the user agent must act as
if <!--(redundant since you can't access any anyway) any changes to that <code>Document</code>
object's properties, getters, setters, etc, were not present, and as if--> all the properties of
that <code><a href=#document>Document</a></code> object had their [[Enumerable]] attribute set to false.</p>
<!--REMOVE-TOPIC:Security-->



<h4 id=resource-metadata-management><span class=secno>3.1.3 </span><dfn>Resource metadata management</dfn></h4>
<h4 id=resource-metadata-management><span class=secno>3.1.2 </span><dfn>Resource metadata management</dfn></h4>

<dl class=domintro><dt><var title="">document</var> . <code title=dom-document-referrer><a href=#dom-document-referrer>referrer</a></code></dt>
<dd>



<h4 id=dom-tree-accessors><span class=secno>3.1.4 </span><dfn>DOM tree accessors</dfn></h4>
<h4 id=dom-tree-accessors><span class=secno>3.1.3 </span><dfn>DOM tree accessors</dfn></h4>

<p><dfn id=the-html-element-0>The <code>html</code> element</dfn> of a document is the
document's root element, if there is one and it's an

<div class=impl> <!-- very deprecated API; use XHR instead -->

<h4 id=loading-xml-documents><span class=secno>3.1.5 </span>Loading XML documents</h4>
<h4 id=loading-xml-documents><span class=secno>3.1.4 </span>Loading XML documents</h4>

<pre class=idl>partial interface <dfn id=xmldocument>XMLDocument</dfn> {
<!--SYNCLOAD attribute boolean <span title="dom-XMLDocument-async">async</span>;
this also fires an event synchronously during the task -->.</li>

<li><p>If the <code><a href=#document>Document</a></code> is in a <a href=#browsing-context>browsing context</a>, create a <a href=#concept-events-trusted title=concept-events-trusted>trusted</a> event named <code title=event-load>load</code> that does not bubble and is not cancelable and which uses the
<code><a href=#event>Event</a></code> interface, and <a href=#concept-event-dispatch title=concept-event-dispatch>dispatch it at
the <code>Document</code>'s <code>Window</code> object, with <i>target override</i> set to the
<code>Document</code> object.</a></li>
<code><a href=#event>Event</a></code> interface, and <a href=#concept-event-dispatch title=concept-event-dispatch>dispatch</a> it at
the <code><a href=#document>Document</a></code>'s <code><a href=#window>Window</a></code> object, with <i>target override</i> set to the
<code><a href=#document>Document</a></code> object.</li>

</ol></li>

20 source
<span>Document</span> implements <span>GlobalEventHandlers</span>;</pre>


<!--ADD-TOPIC:Security-->
<h4 id="security-document">Security</h4>

<!--CLEANUP-->
<p id="security">User agents must throw a <code>SecurityError</code> exception whenever any
properties of a <code>Document</code> object are accessed when the <span>incumbent settings object</span>
specifies an <span>effective script origin</span> that is not the <span data-x="same origin">same</span>
as the <code>Document</code>'s <span>effective script origin</span>.</p>

<!--CLEANUP-->
<p>When the <span>incumbent settings object</span> specifies an <span>effective script origin</span> that is different than
a <code>Document</code> object's <span>effective script origin</span>, the user agent must act as
if <!--(redundant since you can't access any anyway) any changes to that <code>Document</code>
object's properties, getters, setters, etc, were not present, and as if--> all the properties of
that <code>Document</code> object had their [[Enumerable]] attribute set to false.</p>
<!--REMOVE-TOPIC:Security-->



<h4><dfn>Resource metadata management</dfn></h4>

<li><p>If the <code>Document</code> is in a <span>browsing context</span>, create a <span
data-x="concept-events-trusted">trusted</span> event named <code
data-x="event-load">load</code> that does not bubble and is not cancelable and which uses the
<code>Event</code> interface, and <span data-x="concept-event-dispatch">dispatch</soan> it at
<code>Event</code> interface, and <span data-x="concept-event-dispatch">dispatch</span> it at
the <code>Document</code>'s <code>Window</code> object, with <i>target override</i> set to the
<code>Document</code> object.</p></li>

0 comments on commit 3f221df

Please sign in to comment.
You can’t perform that action at this time.