W3C home > Mailing lists > Public > public-webapi@w3.org > September 2007

Re: XHR: definition of same-origin

From: Maciej Stachowiak <mjs@apple.com>
Date: Fri, 21 Sep 2007 20:28:13 -0700
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-Id: <00E505FD-0FB3-4234-B078-CBE276D1D532@apple.com>
To: Anne van Kesteren <annevk@opera.com>


On Sep 21, 2007, at 3:34 AM, Anne van Kesteren wrote:

> On Wed, 29 Aug 2007 05:04:24 +0200, Maciej Stachowiak  
> <mjs@apple.com> wrote:
>> Since this affects interoperability as well as security I would  
>> suggest adding a definition, unless the spec expected to define  
>> same-origin is going to happen soon.
>
> I think HTML5 needs to define this as my understanding is that  
> document.domain is also relevant in deciding whether or not a  
> request is same-origin. I'm not sure if that's happening soon though.

I don't think document.domain would apply when determining same origin  
for XMLHttpRequest. document.domain only relaxes access rules if both  
the source and target frame set document.domain. This prevents  
foo.bar.com from unilaterally deciding it should have access to a  
bar.com subframe. But there is no target frame in the case of  
XMLHttpRequest, so this can't apply. Note that document.domain (when  
set by both source and target frame) also lets you ignore port and  
protocol differences, which once again is not desirable for XHR.

Regards,
Maciej
Received on Saturday, 22 September 2007 03:28:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 10 December 2014 20:05:34 UTC