Re: HTTPbis and the Same Origin Policy

On 12/3/09 9:40 AM, Adam Barth wrote:
> On Thu, Dec 3, 2009 at 9:36 AM, Tyler Close <tyler.close@gmail.com> wrote:
>> SOP does allow some mucking around with the domain name topology (via
>> document.domain), but AFAIK, this wouldn't allow foo.example.com to
>> PUT to bar.example.com.
> 
> Actually, it does if both foo.example.com and bar.example.com opt in
> by setting their document.domain property to "example.com".

How does setting document.domain allow a cross-domain PUT from a
browser? AFAIK the only currently supported way of generating a PUT from
a browser is XHR, and that should be ignoring document.domain in its
origin determination.

> Yes, document.domain is an abomination.  Newer APIs rightfully ignore it.

Amen.

Received on Thursday, 3 December 2009 21:14:53 UTC