hixie: Warn about document.domain on shared hosting. (whatwg r3879)

hixie: Warn about document.domain on shared hosting. (whatwg r3879)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3042&r2=1.3043&f=h
http://html5.org/tools/web-apps-tracker?from=3878&to=3879

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3042
retrieving revision 1.3043
diff -u -d -r1.3042 -r1.3043
--- Overview.html 16 Sep 2009 11:05:49 -0000 1.3042
+++ Overview.html 16 Sep 2009 22:41:56 -0000 1.3043
@@ -44297,7 +44297,13 @@
 
   </div><p class="note">The <code title="dom-document-domain"><a href="#dom-document-domain">domain</a></code>
   attribute is used to enable pages on different hosts of a domain to
-  access each others' DOMs.<h3 id="scripting"><span class="secno">6.5 </span>Scripting</h3><h4 id="introduction-2"><span class="secno">6.5.1 </span>Introduction</h4><p>Various mechanisms can cause author-provided executable code to
+  access each others' DOMs.<p class="warning">Do not use the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute when
+  using shared hosting. If an untrusted third party is able to host an
+  HTTP server at the same IP address but on a different port, then the
+  same-origin protection that normally protects two different sites on
+  the same host will fail, as the ports are ignored when comparing
+  origins after the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute has
+  been used.<h3 id="scripting"><span class="secno">6.5 </span>Scripting</h3><h4 id="introduction-2"><span class="secno">6.5.1 </span>Introduction</h4><p>Various mechanisms can cause author-provided executable code to
   run in the context of a document. These mechanisms include, but are
   probably not limited to:<ul><li>Processing of <code><a href="#script">script</a></code> elements.</li>

Received on Wednesday, 16 September 2009 22:42:58 UTC