W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 3 Dec 2009 09:40:34 -0800
Message-ID: <7789133a0912030940p29bb390fr4b052a3d61683ed8@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
On Thu, Dec 3, 2009 at 9:36 AM, Tyler Close <tyler.close@gmail.com> wrote:
> SOP does allow some mucking around with the domain name topology (via
> document.domain), but AFAIK, this wouldn't allow foo.example.com to
> PUT to bar.example.com.

Actually, it does if both foo.example.com and bar.example.com opt in
by setting their document.domain property to "example.com".

Yes, document.domain is an abomination.  Newer APIs rightfully ignore it.

Adam
Received on Thursday, 3 December 2009 17:41:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT