W3C home > Mailing lists > Public > public-webapi@w3.org > September 2007

Re: XHR: definition of same-origin

From: Hallvord R. M. Steen <hallvord@opera.com>
Date: Wed, 26 Sep 2007 23:03:47 +0200
To: "Maciej Stachowiak" <mjs@apple.com>, "Anne van Kesteren" <annevk@opera.com>
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.ty94sl1ia3v5gv@hr-opera.upc.no>

On Sat, 22 Sep 2007 05:28:13 +0200, Maciej Stachowiak <mjs@apple.com>  

>> I think HTML5 needs to define this as my understanding is that  
>> document.domain is also relevant in deciding whether or not a request  
>> is same-origin. I'm not sure if that's happening soon though.
> I don't think document.domain would apply when determining same origin  
> for XMLHttpRequest.

This is actually supported in Opera, XHR is allowed to both original  
hostname and document.domain . So this won't show an alert on  
http://www.example.org/ :

javascript: document.domain='example.org';var x; try{(x=new  
XMLHttpRequest()).open('GET', 'http://example.org/',  
true);void(x.send(null));}catch(e){ alert(e);}

(This was implemented on suggestions from live.com )

> Note that document.domain (when set by both source and target frame)  
> also lets you ignore port and protocol differences, which once again is  
> not desirable for XHR.

I know we ignore port differences but I don't think we ignore protocol.  
Are you saying that Safari lets https://secure.example.org/ talk to  
http://www.example.org if they both set document.domain to example.org ?

Hallvord R. M. Steen
Core QA JavaScript tester, Opera Software
Opera - simply the best Internet experience
Received on Wednesday, 26 September 2007 21:00:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:24 UTC