- From: Maciej Stachowiak <mjs@apple.com>
- Date: Fri, 21 Sep 2007 20:28:13 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "Web API WG (public)" <public-webapi@w3.org>
On Sep 21, 2007, at 3:34 AM, Anne van Kesteren wrote: > On Wed, 29 Aug 2007 05:04:24 +0200, Maciej Stachowiak > <mjs@apple.com> wrote: >> Since this affects interoperability as well as security I would >> suggest adding a definition, unless the spec expected to define >> same-origin is going to happen soon. > > I think HTML5 needs to define this as my understanding is that > document.domain is also relevant in deciding whether or not a > request is same-origin. I'm not sure if that's happening soon though. I don't think document.domain would apply when determining same origin for XMLHttpRequest. document.domain only relaxes access rules if both the source and target frame set document.domain. This prevents foo.bar.com from unilaterally deciding it should have access to a bar.com subframe. But there is no target frame in the case of XMLHttpRequest, so this can't apply. Note that document.domain (when set by both source and target frame) also lets you ignore port and protocol differences, which once again is not desirable for XHR. Regards, Maciej
Received on Saturday, 22 September 2007 03:28:24 UTC