- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 3 Dec 2009 13:26:46 -0800
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Tyler Close <tyler.close@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
On Thu, Dec 3, 2009 at 1:14 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 12/3/09 9:40 AM, Adam Barth wrote: >> On Thu, Dec 3, 2009 at 9:36 AM, Tyler Close <tyler.close@gmail.com> wrote: >>> SOP does allow some mucking around with the domain name topology (via >>> document.domain), but AFAIK, this wouldn't allow foo.example.com to >>> PUT to bar.example.com. >> >> Actually, it does if both foo.example.com and bar.example.com opt in >> by setting their document.domain property to "example.com". > > How does setting document.domain allow a cross-domain PUT from a > browser? AFAIK the only currently supported way of generating a PUT from > a browser is XHR, and that should be ignoring document.domain in its > origin determination. Imagine frame A is from foo.example.com and frame B is from bar.example.com. Now, both set their document.domain to "example.com". Once they do this, they can script each other, so frame A injects a script tag into frame B. When that script runs, it can make a PUT request to bar.example.com with XMLHttpRequest. Adam
Received on Thursday, 3 December 2009 21:27:43 UTC