On Tue, Jan 8, 2013 at 7:46 AM, Boris Zbarsky <bzbar...@mit.edu> wrote: > Actually, that's not enough. You have to security-check arguments too. > Otherwise this: > > document.createTreeWalker(crossFrameDoc, etc); > > would be bad. (Note that right now the DOM spec fails to handle this, which > is about what I would expect out of people creating APIs, which is why I > would really prefer we define this on a low level where people can't screw > up by forgetting it.)
You didn't file a bug on this I think. I did think HTML handled this already though which is why it is not addressed in the DOM specification. -- http://annevankesteren.nl/