Open
Bug 1240096
Opened 9 years ago
Updated 2 years ago
Why does nsLocation use the subject principal, not the incumbent, for the triggering principal?
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | affected |
People
(Reporter: bzbarsky, Unassigned)
References
(Blocks 1 open bug)
Details
This really only matters much in cases where document.domain is involved, I think. But while we have an incumbent global there anyway, why not use it?
Flags: needinfo?(bobbyholley)
|
||
Comment 2•9 years ago
|
||
I'm pretty sure it's historical, but I'm also pretty sure it should never make an observable difference, modulo consumers that extract a URI from the principal. That is to say, the incumbent should always be same-origin with the subject, since that's how the web works, and also because we enforce it here: http://hg.mozilla.org/mozilla-central/file/tip/dom/base/ScriptSettings.cpp#l151
Flags: needinfo?(bobbyholley)
|
Reporter | |
Comment 3•9 years ago
|
||
> modulo consumers that extract a URI from the principal
Right. The thing that extracts URIs here is content policies.
I think using the incumbent makes a lot more sense here, honestly, for the consumers who do care about the URI.
|
|
||
Comment 4•9 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #3)
> > modulo consumers that extract a URI from the principal
>
> Right. The thing that extracts URIs here is content policies.
>
> I think using the incumbent makes a lot more sense here, honestly, for the
> consumers who do care about the URI.
That is fine with me, sure. Though I really wish we tracked URI and origin separately...
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•