Maciej Stachowiak wrote: > In WebKit at least, that's not the case. If one site has an origin of > <http://example.com/> and another has an origin of > <http://subdomain.example.com/>, and the latter sets document.domain to > example.com, then no access will be allowed either way Sure. The origin compare only comes into play if both set .domain, of course; otherwise there's no point in comparing the origins. > Thus, we track whether document.domain has been set explicitly as an > additional flag in our representation of a security origin. Yeah. Gecko has two origin URIs, one of which might be null if domain wasn't set, but it amounts to the same thing. -BorisReceived on Monday, 29 September 2008 15:35:24 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:32:41 GMT