- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 03 Dec 2009 13:14:05 -0800
- To: Adam Barth <w3c@adambarth.com>
- CC: Tyler Close <tyler.close@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
On 12/3/09 9:40 AM, Adam Barth wrote: > On Thu, Dec 3, 2009 at 9:36 AM, Tyler Close <tyler.close@gmail.com> wrote: >> SOP does allow some mucking around with the domain name topology (via >> document.domain), but AFAIK, this wouldn't allow foo.example.com to >> PUT to bar.example.com. > > Actually, it does if both foo.example.com and bar.example.com opt in > by setting their document.domain property to "example.com". How does setting document.domain allow a cross-domain PUT from a browser? AFAIK the only currently supported way of generating a PUT from a browser is XHR, and that should be ignoring document.domain in its origin determination. > Yes, document.domain is an abomination. Newer APIs rightfully ignore it. Amen.
Received on Thursday, 3 December 2009 21:14:53 UTC