[whatwg] proposal for a location.domain property

Maciej Stachowiak mjs at apple.com
Fri May 25 18:58:36 PDT 2012


On May 25, 2012, at 4:27 AM, João Eiras <joaoe at opera.com> wrote:

> On Thu, 24 May 2012 23:02:00 +0200, Maciej Stachowiak <mjs at apple.com> wrote:
> 
>> 
>> I agree. Even though there are still legacy features like cookies and document.domain that use domain-based security, most of the Web platform uses origin-based security, and that has proved to be a sounder model. While I acknowledge the use cases for exposing location.domain, it's also likely to become an attractive nuisance that pulls developers in the wrong direction.
>> 
> 
> Although I understand this opinion and agree with it, the domain based security checks are used for cross frame interaction, cookies, security certificates, etc, therefore it has to be specified and documented.

When you say "cross frame interaction", do you mean just the relatively rare case of document.domain being explicitly set?

I agree with you that we must document the right rules for what domains are valid, but I do not think that this requires exposing location.domain explicitly.

> 
> I don't think adding a location.tld property or location.topDomain would pull developers away from anything. It would just make the legacy domain based security checks a bit more easy to handle and understand. It's the specifications and APIs that tell which security model to use, not the developer.

I don't think location.domain would be the same as location.tld, to the extent I understand the intent of them. For the URL "http://www.apple.com/", "apple.com" would be the domain, and "com" would be the TLD.

Regards,
Maciej




More information about the whatwg mailing list