In javascript, as a security feature, access to some objects is restricted based on document origin. If that was cryptic, here is a concrete example. A frame in a page can't read the location of the parent using window.top.location.href property , if the frame came from a different webserver than the parent.
That is, if you do something like this inside the iframe
location = window.top.location.href
you would get an exception in Firefox, and IE (at least the more recent versions)
Error: uncaught exception: Permission denied to get property
Location.href
Location.href
I guess that is what the RFC may have prescribed. However, the behavior in Chrome and Safari is different. (And chrome and safari both are based on Webkit, so its essentially webkit). They will not throw an exception, but instead merely return undefined.
Now this initially seems counter intuitive, but to think of it, I believe there is a reason why webkit behaves so. Let's say you have the following code
location = window.top.location.href
// do something
doSomething()
...
In firefox, the code that follows will never execute, because an exception was thrown when we accessed window.top.location.href. This will not be intuitive to a lame javascript programmer. Or so thought the makers of Webkit, who decided that it is smarter not to throw an exception and just set location to undefined, so that doSomething gets called. Which means any 'not so lame programmer' who writes this
try {
location = window.top.location.href
doSomething();
} catch {
doSomethingElse();
}
will find that their code wouldn't work as expected on Safari and Chrome.
Which is why it is important to adhere to the specs, in letter and spirit.
No comments:
Post a Comment