W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2012

Re: [whatwg] proposal for a location.domain property

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 24 May 2012 17:49:58 -0400
Message-ID: <4FBEAD06.2020303@mit.edu>
To: whatwg@lists.whatwg.org
On 5/24/12 5:02 PM, Maciej Stachowiak wrote:
> I agree. Even though there are still legacy features like cookies and document.domain that use domain-based security, most of the Web platform uses origin-based security

For security, yes.

But for, say, resource limits, one wants to use domain-based limits 
because otherwise limits are easily worked around using subdomains.  At 
least that's the way we try to do it in Gecko.

Looking at our (Mozilla's) internal uses of getBaseDomain(), it's used for:

* cookies
* various site identity UI bits (e.g. highlighting the TLD+1 in the URL
   bar, the thing to show as the site identifier in various prompts, and
   so forth)
* something about deciding whether to send CSP error reports
* "third-party" determination (mostly cookies again, I suspect)
* document.domain setting
* Clearing "per-site" plugin data (see cookies)
* localStorage quota enforcement
* Something with caps on number of concurrent DOM workers
* The URL bar autosuggest implementation

I agree that it's not entirely clear how much of this is relevant to the 
web at large.  Web apps that need this functionality (e.g. the browser 
in B2G) _can_ always import the eTLD list, if forced to....

-Boris
Received on Thursday, 24 May 2012 21:50:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:08 GMT