W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 3 Dec 2009 13:26:46 -0800
Message-ID: <7789133a0912031326x5516e4ecj3c5a76cde0182f2c@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Tyler Close <tyler.close@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
On Thu, Dec 3, 2009 at 1:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 12/3/09 9:40 AM, Adam Barth wrote:
>> On Thu, Dec 3, 2009 at 9:36 AM, Tyler Close <tyler.close@gmail.com> wrote:
>>> SOP does allow some mucking around with the domain name topology (via
>>> document.domain), but AFAIK, this wouldn't allow foo.example.com to
>>> PUT to bar.example.com.
>>
>> Actually, it does if both foo.example.com and bar.example.com opt in
>> by setting their document.domain property to "example.com".
>
> How does setting document.domain allow a cross-domain PUT from a
> browser? AFAIK the only currently supported way of generating a PUT from
> a browser is XHR, and that should be ignoring document.domain in its
> origin determination.

Imagine frame A is from foo.example.com and frame B is from
bar.example.com.  Now, both set their document.domain to
"example.com".  Once they do this, they can script each other, so
frame A injects a script tag into frame B.  When that script runs, it
can make a PUT request to bar.example.com with XMLHttpRequest.

Adam
Received on Thursday, 3 December 2009 21:27:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT