Re: HTTPbis and the Same Origin Policy

On Thu, Dec 3, 2009 at 1:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 12/3/09 9:40 AM, Adam Barth wrote:
>> On Thu, Dec 3, 2009 at 9:36 AM, Tyler Close <tyler.close@gmail.com> wrote:
>>> SOP does allow some mucking around with the domain name topology (via
>>> document.domain), but AFAIK, this wouldn't allow foo.example.com to
>>> PUT to bar.example.com.
>>
>> Actually, it does if both foo.example.com and bar.example.com opt in
>> by setting their document.domain property to "example.com".
>
> How does setting document.domain allow a cross-domain PUT from a
> browser? AFAIK the only currently supported way of generating a PUT from
> a browser is XHR, and that should be ignoring document.domain in its
> origin determination.

Imagine frame A is from foo.example.com and frame B is from
bar.example.com.  Now, both set their document.domain to
"example.com".  Once they do this, they can script each other, so
frame A injects a script tag into frame B.  When that script runs, it
can make a PUT request to bar.example.com with XMLHttpRequest.

Adam

Received on Thursday, 3 December 2009 21:27:43 UTC