- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 10 Aug 2010 23:55:37 +0000 (UTC)
On Wed, 14 Jul 2010, James Graham wrote: > > Following some discussion of [1], it was pointed out to me that it is > possible to make two pages on separate subdomains communicate without > either setting their document.domain by proxing the communication > through pages that have set their document.domain. There is a demo of > this at [2]. > > I'm not sure if this is already well-known nor whether it is harmless or > not. > > [1] http://my.opera.com/hallvors/blog/2010/07/13/ebay-versus-security-policy-consistency > [2] http://sloth.whyi.org/~jl/cross-domain.html On Wed, 14 Jul 2010, Adam Barth wrote: > > This is well-known > > http://www.collinjackson.com/research/papers/fp801-jackson.pdf > > but not a good idea (see Section 4.4): > > http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf I haven't changed the spec regarding this, since it's not clear what a better solution would be. If anyone has a concrete proposal for what we should require, please let me know. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 10 August 2010 16:55:37 UTC