[html5] r3879 - [a] (0) Warn about document.domain on shared hosting.

whatwg at whatwg.org whatwg at whatwg.org
Wed Sep 16 15:47:46 PDT 2009

Previous message: [html5] r3878 - [giow] (2) Setting document.domain has to make localStorage unusable because oth [...]
Next message: [html5] r3880 - [] (0) Update ws: and wss: registration.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Author: ianh
Date: 2009-09-16 15:47:45 -0700 (Wed, 16 Sep 2009)
New Revision: 3879

Modified:
   index
   source
Log:
[a] (0) Warn about document.domain on shared hosting.

Modified: index
===================================================================
--- index	2009-09-16 22:22:17 UTC (rev 3878)
+++ index	2009-09-16 22:47:45 UTC (rev 3879)
@@ -49239,8 +49239,16 @@
   attribute is used to enable pages on different hosts of a domain to
   access each others' DOMs.</p>
 
+  <p class=warning>Do not use the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> attribute when
+  using shared hosting. If an untrusted third party is able to host an
+  HTTP server at the same IP address but on a different port, then the
+  same-origin protection that normally protects two different sites on
+  the same host will fail, as the ports are ignored when comparing
+  origins after the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> attribute has
+  been used.</p>
 
 
+
   <h3 id=scripting><span class=secno>6.5 </span>Scripting</h3>
 
   <h4 id=introduction-2><span class=secno>6.5.1 </span>Introduction</h4>

Modified: source
===================================================================
--- source	2009-09-16 22:22:17 UTC (rev 3878)
+++ source	2009-09-16 22:47:45 UTC (rev 3879)
@@ -53988,9 +53988,8 @@
 
    <li><p>If the <span>parent browsing context</span>'s <span>active
    document</span> does not have the <span>same</span> <span>effective
-   script origin</span> as the script that is accessing the <code
-   title="dom-frameElement">frameElement</code> attribute, then throw
-   a <code>SECURITY_ERR</code> exception.</p></li>
+   script origin</span> as the <span>first script</span>, then throw a
+   <code>SECURITY_ERR</code> exception.</p></li>
 
    <li><p>Otherwise, return the <span>browsing context
    container</span> for <var title="">b</var>.</p></li>
@@ -55565,8 +55564,18 @@
   attribute is used to enable pages on different hosts of a domain to
   access each others' DOMs.</p>
 
+  <p class="warning">Do not use the <code
+  title="dom-document-domain">document.domain</code> attribute when
+  using shared hosting. If an untrusted third party is able to host an
+  HTTP server at the same IP address but on a different port, then the
+  same-origin protection that normally protects two different sites on
+  the same host will fail, as the ports are ignored when comparing
+  origins after the <code
+  title="dom-document-domain">document.domain</code> attribute has
+  been used.</p>
 
 
+
   <h3 id="scripting">Scripting</h3>
 
   <h4>Introduction</h4>

Previous message: [html5] r3878 - [giow] (2) Setting document.domain has to make localStorage unusable because oth [...]
Next message: [html5] r3880 - [] (0) Update ws: and wss: registration.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Commit-Watchers mailing list