W3C home > Mailing lists > Public > public-webapi@w3.org > September 2007

Re: XHR: definition of same-origin

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 21 Sep 2007 12:13:44 -0700
Message-ID: <46F417E8.1000901@sicking.cc>
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Cc: Anne van Kesteren <annevk@opera.com>, "Web API WG (public)" <public-webapi@w3.org>

Boris Zbarsky wrote:
> Anne van Kesteren wrote:
>> I think HTML5 needs to define this as my understanding is that 
>> document.domain is also relevant in deciding whether or not a request 
>> is same-origin.
> Actually, I don't think it is.  I know IE and Gecko ignore 
> document.domain for the existing same-origin checks...  Gecko used to 
> take it into account, but of course that broke sites given that IE 
> ignores it.

Taking document.domain into account when doing same-origin network 
activity would infact be unsafe. Otherwise content at people.example.edu 
would be able to load data from example.edu which might not be safe.

In fact, in order for people.example.edu to talk to example.edu, *both* 
sites must explicitly have set document.domain to example.edu. This is 
of course not something that can happen before a network request, as the 
requested site has no way of setting document.domain.

Not sure how things originally worked when document.domain was 
implemented many moons ago, but at this point all vendors have fixed 
this issue.

/ Jonas
Received on Friday, 21 September 2007 19:13:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:24 UTC