- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 16 Sep 2009 22:42:00 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec In directory hutz:/tmp/cvs-serv7758 Modified Files: Overview.html Log Message: Warn about document.domain on shared hosting. (whatwg r3879) Index: Overview.html =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.3042 retrieving revision 1.3043 diff -u -d -r1.3042 -r1.3043 --- Overview.html 16 Sep 2009 11:05:49 -0000 1.3042 +++ Overview.html 16 Sep 2009 22:41:56 -0000 1.3043 @@ -44297,7 +44297,13 @@ </div><p class="note">The <code title="dom-document-domain"><a href="#dom-document-domain">domain</a></code> attribute is used to enable pages on different hosts of a domain to - access each others' DOMs.<h3 id="scripting"><span class="secno">6.5 </span>Scripting</h3><h4 id="introduction-2"><span class="secno">6.5.1 </span>Introduction</h4><p>Various mechanisms can cause author-provided executable code to + access each others' DOMs.<p class="warning">Do not use the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute when + using shared hosting. If an untrusted third party is able to host an + HTTP server at the same IP address but on a different port, then the + same-origin protection that normally protects two different sites on + the same host will fail, as the ports are ignored when comparing + origins after the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute has + been used.<h3 id="scripting"><span class="secno">6.5 </span>Scripting</h3><h4 id="introduction-2"><span class="secno">6.5.1 </span>Introduction</h4><p>Various mechanisms can cause author-provided executable code to run in the context of a document. These mechanisms include, but are probably not limited to:<ul><li>Processing of <code><a href="#script">script</a></code> elements.</li>
Received on Wednesday, 16 September 2009 22:42:08 UTC