Re: [whatwg/dom] Consider removing `document.origin` (#410) from Philip Jägenstedt on 2018-04-16 (public-webapps-github@w3.org from April 2018)

From: Philip Jägenstedt <notifications@github.com>
Date: Mon, 16 Apr 2018 12:45:02 +0000 (UTC)
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/410/381586352@github.com>
The results of a [fresh search](https://bigquery.cloud.google.com/savedquery/762219082167:b9244bf110fe4952b0a8717cc49da291) for "document.origin" is in [document_origin.json](https://storage.googleapis.com/blink-httparchive-export/document_origin.json.gz). I used [unjson](https://github.com/foolip/unhar/blob/master/unjson) to split it into 2419 files. I split those into different buckets to try to filter out the harmless stuff. The result I've uploaded as [https://storage.googleapis.com/blink-httparchive-export/document_origin.tgz](document_origin.tgz).

Almost all (2205) fall into the false-positives, fingerprinting, and not-broken buckets.

In the maybe-broken bucket there's these sites that could throw an exception if document.origin isn't there and I can reach the code path in Chrome:
http://www.amebaownd.com/
http://www.aromaspace-japan.tokyo/
http://www.brandnewidolsociety.tokyo/
http://www.hiroyuki.com/
http://www.hi-vision.net/
http://www.mienoko.jp/
http://www.yuqinakamura.jp/

But they still seem to work fine in Firefox, can't see what's broken, if anything.

Also in the maybe-broken bucket is a bunch of sites that include https://assets.pscp.tv/univ/main-da74a29ac84387feaee6.js, including http://www.pscp.tv/ itself. It has this event handler:
```JavaScript
window.addEventListener("message", function(t) {
    var n = t.origin || t.originalEvent.origin === document.origin
        , r = t.source === e.popup;
    n && r && e.props.onMessage && e.props.onMessage({
        message: t.data
    })
})
```

But I can't reach that code path in Chrome, not sure what it takes.

There are 80 hits that didn't fall into a bucket and would need individual checking. I checked a few and couldn't find any breakage and nothing that screamed "this will break" on the same lines in grep. Still, some might be affected: (not checked/filtered for porn, which often shows up in these anlyses)
http://aktuelnaturvidenskab.dk/
http://cs.au.dk/
http://www.ab.gr/
http://www.adbug.cn/
http://www.adexchanger.cn/
http://www.adme.ru/
http://www.ascc2017.com/
http://www.attendstar.com/
http://www.au.dk/
http://www.avito.ru/
http://www.avito.ru/
http://www.avito.st/
http://www.avito.st/
http://www.bikeworld.pl/
http://www.brightside.me/
http://www.cargotec.com/
http://www.cassidytravel.ie/
http://www.codio.com/
http://www.delhaize.be/
http://www.devdocs.io/
http://www.ellechina.com/
http://www.fiverr.com/
http://www.fiverr.co.uk/
http://www.fivver.com/
http://www.genial.guru/
http://www.glamsquad.com/
http://www.griffith.edu.au/
http://www.hackster.io/
http://www.haiwai.com/
http://www.hermo.my/
http://www.heroic.academy/
http://www.hijup.com/
http://www.incrivel.club/
http://www.irishlife.ie/
http://www.jackrogersusa.com/
http://www.kadenze.com/
http://www.lariojaturismo.com/
http://www.learnnext.com/
http://www.letsrecap.com/
http://www.likemtr.ru/
http://www.loandepot.com/
http://www.magisto.com/
http://www.mgen.fr/
http://www.multisim.com/
http://www.newslaundry.com/
http://www.nextgurukul.in/
http://www.olx.ru/
http://www.olx.ru/
http://www.pigeonhole.at/
http://www.plumbnation.co.uk/
http://www.promovacances.com/
http://www.pymex.pe/
http://www.reacttraining.com/
http://www.slando.ru/
http://www.slando.ru/
http://www.sparks-lab.org/
http://www.sympa-sympa.com/
http://www.trendwatching.com/
http://www.trustscam.es/
http://www.turfomania.fr/
http://www.universalorlando.com/
http://www.whistler.com/
http://www.yves-rocher.cz/
http://www.yves-rocher.ro/

Noteworthy is that on http://www.ing.com.au/ there's traces of a web developer wasting time because of this interop issue, with a comment saying "document.origin is not by ie":
```
function InterestRateManager() {
        //document.origin is not by ie
        this.serviceUrl = location.protocol + '//' + location.host + "/ReverseProxy/ProductService/V1/productservice.svc/json/interestrates/
currenteffective";
```

That's it. To me it seems like we *should* try to deprecate an remove this, because neither I nor @mikewest could find something that would break badly, *and* I found evidence of web developers being bitten by the interop problem.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/410#issuecomment-381586352
Received on Monday, 16 April 2018 12:45:29 UTC