On Mon, 24 Nov 2008, Hallvord R. M. Steen wrote:
>
> The point is that there *is* no document pointer until you call the
> constructur - per the spec. And once that script calls the constructor
> and the document pointer is created, the associated window has a
> different document in it from a
On Sun, 23 Nov 2008 22:32:02 +0100, Anne van Kesteren <[EMAIL PROTECTED]>
wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new xhrConstructor();
When the constructor is invoked here, the associated document of its
as
On Sun, 23 Nov 2008 18:13:41 +0100, Hallvord R. M. Steen
<[EMAIL PROTECTED]> wrote:
On Fri, 21 Nov 2008 21:14:59 +0100, Anne van Kesteren <[EMAIL PROTECTED]>
wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new xhrConst
On Fri, 21 Nov 2008 21:14:59 +0100, Anne van Kesteren <[EMAIL PROTECTED]>
wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new xhrConstructor();
When the constructor is invoked here, the associated document of its
as
On Fri, 21 Nov 2008 17:28:34 +0100, Hallvord R. M. Steen
<[EMAIL PROTECTED]> wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new xhrConstructor();
When the constructor is invoked here, the associated document of its
a
http://www.w3.org/TR/XMLHttpRequest/#document-pointer says
When the XMLHttpRequest() constructor is invoked a persistent pointer to
the
associated Document object is stored on the newly created object. This
is the
Document pointer. The associated Document object is the one returned by
the
