On Mar 31, 8:25 pm, Boris Zbarsky <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > I think there must be something here that I am missing. Can somebody > > point me to what the rules are now? (I found the post of BZ from > > 2006). > > The rules are that you can no longer change the origin of a document. This > means: > > 1) You can only document.load() documents from URIs that are same-origin with > the document you're calling load() on. If you created the document from > scratch, the URIs need to be same-origin with the code that called > createDocument(). > > 2) If you want to create a document from a string, use DOMParser. > > 3) If you need to create a document by parsing data that lives at a URI > you're > not same-origin with, use XMLHttpRequest. > > -Boris
Thanks. That is very helpful. --Barry _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
