Skip to content
Permalink
Browse files

[e] (0) Block access to all properties when going cross-origin, not j…

…ust defined members.

Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=12440

git-svn-id: http://svn.whatwg.org/webapps@6296 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed Jul 14, 2011
1 parent 218680e commit f045cdbfb2eefc955028f1af74b5710da558deab
Showing with 14 additions and 14 deletions.
  1. +5 −5 complete.html
  2. +5 −5 index
  3. +4 −4 source

<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1>Web Applications 1.0</h1>
<h2 class="no-num no-toc">Living Standard &mdash; Last Updated 13 July 2011</h2>
<h2 class="no-num no-toc">Living Standard &mdash; Last Updated 14 July 2011</h2>
</hgroup><dl><dt>Multiple-page version:</dt>
<dd><a href=http://www.whatwg.org/specs/web-apps/current-work/complete/>http://www.whatwg.org/specs/web-apps/current-work/complete/</a></dd>
<dt>One-page version:</dt>
<h4 id=security-document><span class=secno>3.1.2 </span>Security</h4>

<p id=security>User agents <span class=impl>must</span> raise a
<code><a href=#security_err>SECURITY_ERR</a></code> exception whenever any of the members of
an <code><a href=#htmldocument>HTMLDocument</a></code> object are accessed by scripts whose
<code><a href=#security_err>SECURITY_ERR</a></code> exception whenever any properties of a
<code><a href=#document>Document</a></code> object are accessed by scripts whose
<a href=#effective-script-origin>effective script origin</a> is not the <a href=#same-origin title="same
origin">same</a> as the <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective
script origin</a>.</p>
<h4 id=security-window><span class=secno>6.2.1 </span>Security</h4>

<p id=security-2>User agents must raise a
<code><a href=#security_err>SECURITY_ERR</a></code> exception whenever any of the members of a
<code><a href=#security_err>SECURITY_ERR</a></code> exception whenever any properties of a
<code><a href=#window>Window</a></code> object are accessed by scripts whose
<a href=#effective-script-origin>effective script origin</a> is not the same as the
<code><a href=#window>Window</a></code> object's <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective
script origin</a>, with the following exceptions:</p>

<ul><li>The <code title=dom-location><a href=#dom-location>location</a></code> object
<ul><li>The <code title=dom-location><a href=#dom-location>location</a></code> attribute

<li>The <code title=dom-window-postMessage><a href=#dom-window-postmessage>postMessage()</a></code> method

10 index

<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
<h2 class="no-num no-toc">Living Standard &mdash; Last Updated 13 July 2011</h2>
<h2 class="no-num no-toc">Living Standard &mdash; Last Updated 14 July 2011</h2>
</hgroup><dl><dt><strong>Web developer edition</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
<h4 id=security-document><span class=secno>3.1.2 </span>Security</h4>

<p id=security>User agents <span class=impl>must</span> raise a
<code><a href=#security_err>SECURITY_ERR</a></code> exception whenever any of the members of
an <code><a href=#htmldocument>HTMLDocument</a></code> object are accessed by scripts whose
<code><a href=#security_err>SECURITY_ERR</a></code> exception whenever any properties of a
<code><a href=#document>Document</a></code> object are accessed by scripts whose
<a href=#effective-script-origin>effective script origin</a> is not the <a href=#same-origin title="same
origin">same</a> as the <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective
script origin</a>.</p>
<h4 id=security-window><span class=secno>6.2.1 </span>Security</h4>

<p id=security-2>User agents must raise a
<code><a href=#security_err>SECURITY_ERR</a></code> exception whenever any of the members of a
<code><a href=#security_err>SECURITY_ERR</a></code> exception whenever any properties of a
<code><a href=#window>Window</a></code> object are accessed by scripts whose
<a href=#effective-script-origin>effective script origin</a> is not the same as the
<code><a href=#window>Window</a></code> object's <code><a href=#document>Document</a></code>'s <a href=#effective-script-origin>effective
script origin</a>, with the following exceptions:</p>

<ul><li>The <code title=dom-location><a href=#dom-location>location</a></code> object
<ul><li>The <code title=dom-location><a href=#dom-location>location</a></code> attribute

<li>The <code title=dom-window-postMessage><a href=#dom-window-postmessage>postMessage()</a></code> method

8 source
@@ -9330,8 +9330,8 @@ interface <dfn>HTMLDocument</dfn> {
<h4 id="security-document">Security</h4>

<p id="security">User agents <span class="impl">must</span> raise a
<code>SECURITY_ERR</code> exception whenever any of the members of
an <code>HTMLDocument</code> object are accessed by scripts whose
<code>SECURITY_ERR</code> exception whenever any properties of a
<code>Document</code> object are accessed by scripts whose
<span>effective script origin</span> is not the <span title="same
origin">same</span> as the <code>Document</code>'s <span>effective
script origin</span>.</p>
<h4 id="security-window">Security</h4>

<p id="security-2">User agents must raise a
<code>SECURITY_ERR</code> exception whenever any of the members of a
<code>SECURITY_ERR</code> exception whenever any properties of a
<code>Window</code> object are accessed by scripts whose
<span>effective script origin</span> is not the same as the
<code>Window</code> object's <code>Document</code>'s <span>effective
script origin</span>, with the following exceptions:</p>

<ul>

<li>The <code title="dom-location">location</code> object
<li>The <code title="dom-location">location</code> attribute

<li>The <code title="dom-window-postMessage">postMessage()</code> method

0 comments on commit f045cdb

Please sign in to comment.
You can’t perform that action at this time.