- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 13 Apr 2012 21:03:55 -0400
- To: Ian Hickson <ian@hixie.ch>
- CC: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
On 4/13/12 6:38 PM, Ian Hickson wrote: >> Actually, having revocation is very important in some scenarios; >> otherwise you can't use document.domain securely at all. > > Can you elaborate on that? For example, if you have pages A and B at foo.example.com, and a page C at bar.example.com, and A has any sort of way to get to B, and then both A and C set document.domain to "example.com", then not revoking A's access to B gives C access to B. But B didn't opt in via setting document.domain and may not be expecting access from C. As the spec is written right now, you can do this safely as long as A (and that includes all libraries loaded by A and all browser extensions that might interact with both B and A) is very careful to never hold references to any objects from B except the Window and Document. If A screws this up (or if a browser extesion screws it up by injecting a B object somewhere into A), it screws B over. -Boris
Received on Saturday, 14 April 2012 01:04:27 UTC