Open
      
        Bug 1240096
      
      
        Opened 9 years ago
          Updated 3 years ago
      
        
    
  
Why does nsLocation use the subject principal, not the incumbent, for the triggering principal? 
    Categories
(Core :: DOM: Core & HTML, defect)
        Core
          
        
        
      
        
    
        DOM: Core & HTML
          
        
        
      
        
    Tracking
()
        NEW
        
        
    
  
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | affected | 
People
(Reporter: bzbarsky, Unassigned)
References
(Blocks 1 open bug)
Details
This really only matters much in cases where document.domain is involved, I think.  But while we have an incumbent global there anyway, why not use it?
Flags: needinfo?(bobbyholley)
| Comment 2•9 years ago
           | ||
I'm pretty sure it's historical, but I'm also pretty sure it should never make an observable difference, modulo consumers that extract a URI from the principal. That is to say, the incumbent should always be same-origin with the subject, since that's how the web works, and also because we enforce it here: http://hg.mozilla.org/mozilla-central/file/tip/dom/base/ScriptSettings.cpp#l151
Flags: needinfo?(bobbyholley)
|   | Reporter | |
| Comment 3•9 years ago
           | ||
> modulo consumers that extract a URI from the principal
Right.  The thing that extracts URIs here is content policies.
I think using the incumbent makes a lot more sense here, honestly, for the consumers who do care about the URI.
| Comment 4•9 years ago
           | ||
(In reply to Boris Zbarsky [:bz] from comment #3)
> > modulo consumers that extract a URI from the principal
> 
> Right.  The thing that extracts URIs here is content policies.
> 
> I think using the incumbent makes a lot more sense here, honestly, for the
> consumers who do care about the URI.
That is fine with me, sure. Though I really wish we tracked URI and origin separately...
| Assignee | ||
| Updated•6 years ago
           | 
Component: DOM → DOM: Core & HTML
| Updated•3 years ago
           | 
Severity: normal → S3
          You need to log in
          before you can comment on or make changes to this bug.
        
Description
•