W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 03 Dec 2009 13:14:05 -0800
Message-ID: <4B182A1D.6010609@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Tyler Close <tyler.close@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org 
On 12/3/09 9:40 AM, Adam Barth wrote:
> On Thu, Dec 3, 2009 at 9:36 AM, Tyler Close <tyler.close@gmail.com> wrote:
>> SOP does allow some mucking around with the domain name topology (via
>> document.domain), but AFAIK, this wouldn't allow foo.example.com to
>> PUT to bar.example.com.
> 
> Actually, it does if both foo.example.com and bar.example.com opt in
> by setting their document.domain property to "example.com".

How does setting document.domain allow a cross-domain PUT from a
browser? AFAIK the only currently supported way of generating a PUT from
a browser is XHR, and that should be ignoring document.domain in its
origin determination.

> Yes, document.domain is an abomination.  Newer APIs rightfully ignore it.

Amen.
Received on Thursday, 3 December 2009 21:14:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT