- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 29 Sep 2008 11:34:35 -0400
- To: Maciej Stachowiak <mjs@apple.com>
- CC: Adam Barth <w3c@adambarth.com>, HTML WG <public-html@w3.org>
Maciej Stachowiak wrote: > In WebKit at least, that's not the case. If one site has an origin of > <http://example.com/> and another has an origin of > <http://subdomain.example.com/>, and the latter sets document.domain to > example.com, then no access will be allowed either way Sure. The origin compare only comes into play if both set .domain, of course; otherwise there's no point in comparing the origins. > Thus, we track whether document.domain has been set explicitly as an > additional flag in our representation of a security origin. Yeah. Gecko has two origin URIs, one of which might be null if domain wasn't set, but it amounts to the same thing. -Boris
Received on Monday, 29 September 2008 15:35:24 UTC