- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Wed, 26 Sep 2007 23:03:47 +0200
- To: "Maciej Stachowiak" <mjs@apple.com>, "Anne van Kesteren" <annevk@opera.com>
- Cc: "Web API WG (public)" <public-webapi@w3.org>
On Sat, 22 Sep 2007 05:28:13 +0200, Maciej Stachowiak <mjs@apple.com>
wrote:
>> I think HTML5 needs to define this as my understanding is that
>> document.domain is also relevant in deciding whether or not a request
>> is same-origin. I'm not sure if that's happening soon though.
>
> I don't think document.domain would apply when determining same origin
> for XMLHttpRequest.
This is actually supported in Opera, XHR is allowed to both original
hostname and document.domain . So this won't show an alert on
http://www.example.org/ :
javascript: document.domain='example.org';var x; try{(x=new
XMLHttpRequest()).open('GET', 'http://example.org/',
true);void(x.send(null));}catch(e){ alert(e);}
(This was implemented on suggestions from live.com )
> Note that document.domain (when set by both source and target frame)
> also lets you ignore port and protocol differences, which once again is
> not desirable for XHR.
I know we ignore port differences but I don't think we ignore protocol.
Are you saying that Safari lets https://secure.example.org/ talk to
http://www.example.org if they both set document.domain to example.org ?
--
Hallvord R. M. Steen
Core QA JavaScript tester, Opera Software
http://www.opera.com/
Opera - simply the best Internet experience
Received on Wednesday, 26 September 2007 21:00:32 UTC