Closed Bug 673852 Opened 9 years ago Closed 2 years ago
setting iframe document
.domain from data-url src operates on wrong document .domain (parent's instead of iframe's)
a couple of html files to play with bug: set in hosts file 127.0.0.1 to foo.foobar.com and serve files from http
736 bytes, application/octet-stream
User Agent: Mozilla/5.0 (Windows NT 5.0; rv:5.0) Gecko/20100101 Firefox/5.0 Build ID: 20110615151330 Steps to reproduce: changed (widened) domain using document.domain from within an IFRAME whose src was a data-url Actual results: i found that not only iframe document.domain changed but also iframe's parent document.domain was changed. Using same code from within an Iframe whose src is http url does work as expected (change document.domain of iframe only) Opera works correctly both with data-url and http url. Safari/Chrome do not let you change document.domain when using data-url, works fine with http url Expected results: only iframe's document.domain should change
The iframe and the parent document have the same security origin (object identity, note!); setting document.domain changes that one shared security origin. So the behavior is expected given the current security model for data: URLs in Gecko: they just count as part of the page that loaded them for security purposes. I'm not sure that's necessarily a sane model, but no one has proposed a sane alternative either...
Pretty sure this is no longer the case due to bug 1324406.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.