- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 19 Nov 2014 14:47:38 +0100
- To: "Mike O'Neill" <michael.oneill@baycloud.com>
- Cc: "David Singer (Standards)" <singer@apple.com>, Tracking Protection Working Group <public-tracking@w3.org>
On Wed, Nov 12, 2014 at 3:39 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > As I understand it, in HTML5 the "effective script origin" of a document is the same as the document's "origin" unless the attribute document.domain is changed. That's correct. > I don't know why Anne says document.domain should be avoided for new features, though I take his word for it. Maybe he can explain? Setting document.domain is a very expensive operation (it changes which global objects can reach each other) and weakens security guarantees. With postMessage() it is also no longer required functionality. It is however still supported due to legacy content. Tying new features to effective script origin essentially incentives developers to use document.domain, which would be bad as we hope to eventually be able to remove it. I'll try to get "effective script origin" renamed to "legacy origin" or some such to make this more immediately apparent. -- https://annevankesteren.nl/
Received on Wednesday, 19 November 2014 13:48:05 UTC