Closed
Bug 673852
Opened 13 years ago
Closed 7 years ago
setting iframe document.domain from data-url src operates on wrong document.domain (parent's instead of iframe's)
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: simone.losoio, Unassigned)
Details
Attachments
(1 file)
|
(deleted),
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (Windows NT 5.0; rv:5.0) Gecko/20100101 Firefox/5.0
Build ID: 20110615151330
Steps to reproduce:
changed (widened) domain using document.domain from within an IFRAME whose src was a data-url
Actual results:
i found that not only iframe document.domain changed but also iframe's parent document.domain was changed.
Using same code from within an Iframe whose src is http url does work as expected (change document.domain of iframe only)
Opera works correctly both with data-url and http url.
Safari/Chrome do not let you change document.domain when using data-url, works fine with http url
Expected results:
only iframe's document.domain should change
|
Reporter | |
Updated•13 years ago
|
Component: General → Security
OS: Other → All
|
||
Comment 1•13 years ago
|
||
The iframe and the parent document have the same security origin (object identity, note!); setting document.domain changes that one shared security origin.
So the behavior is expected given the current security model for data: URLs in Gecko: they just count as part of the page that loaded them for security purposes.
I'm not sure that's necessarily a sane model, but no one has proposed a sane alternative either...
|
||
Updated•10 years ago
|
Component: Security → DOM
Product: Firefox → Core
|
|
||
Comment 2•7 years ago
|
||
Pretty sure this is no longer the case due to bug 1324406.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•