On 1/8/13 1:42 AM, Boris Zbarsky wrote:
>On 1/7/13 11:28 PM, Ian Hickson wrote:
The check is the same -- if the Document that is the "this" to
which the property is being applied doesn't match the origin of the
script
that is doing the applying, throw SecurityError.
Actually, that's not enough. You have to security-check arguments too.
Otherwise this:
document.createTreeWalker(crossFrameDoc, etc);
would be bad. (Note that right now the DOM spec fails to handle this,
which is about what I would expect out of people creating APIs, which is
why I would really prefer we define this on a low level where people
can't screw up by forgetting it.)
-Boris
