- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 21 Sep 2007 12:13:44 -0700
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: Anne van Kesteren <annevk@opera.com>, "Web API WG (public)" <public-webapi@w3.org>
Boris Zbarsky wrote: > > Anne van Kesteren wrote: >> I think HTML5 needs to define this as my understanding is that >> document.domain is also relevant in deciding whether or not a request >> is same-origin. > > Actually, I don't think it is. I know IE and Gecko ignore > document.domain for the existing same-origin checks... Gecko used to > take it into account, but of course that broke sites given that IE > ignores it. Taking document.domain into account when doing same-origin network activity would infact be unsafe. Otherwise content at people.example.edu would be able to load data from example.edu which might not be safe. In fact, in order for people.example.edu to talk to example.edu, *both* sites must explicitly have set document.domain to example.edu. This is of course not something that can happen before a network request, as the requested site has no way of setting document.domain. Not sure how things originally worked when document.domain was implemented many moons ago, but at this point all vendors have fixed this issue. / Jonas
Received on Friday, 21 September 2007 19:13:41 UTC