Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[a] (0) Warn about document.domain on shared hosting.
git-svn-id: http://svn.whatwg.org/webapps@3879 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
Hixie committed Sep 16, 2009
1 parent f5733d1 commit a7708bf
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 3 deletions.
8 changes: 8 additions & 0 deletions index
Expand Up @@ -49239,6 +49239,14 @@ interface <dfn id=window>Window</dfn> {
attribute is used to enable pages on different hosts of a domain to
access each others' DOMs.</p>

<p class=warning>Do not use the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> attribute when
using shared hosting. If an untrusted third party is able to host an
HTTP server at the same IP address but on a different port, then the
same-origin protection that normally protects two different sites on
the same host will fail, as the ports are ignored when comparing
origins after the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> attribute has
been used.</p>



<h3 id=scripting><span class=secno>6.5 </span>Scripting</h3>
Expand Down
15 changes: 12 additions & 3 deletions source
Expand Up @@ -53988,9 +53988,8 @@ document.body.appendChild(outer);</pre>

<li><p>If the <span>parent browsing context</span>'s <span>active
document</span> does not have the <span>same</span> <span>effective
script origin</span> as the script that is accessing the <code
title="dom-frameElement">frameElement</code> attribute, then throw
a <code>SECURITY_ERR</code> exception.</p></li>
script origin</span> as the <span>first script</span>, then throw a
<code>SECURITY_ERR</code> exception.</p></li>

<li><p>Otherwise, return the <span>browsing context
container</span> for <var title="">b</var>.</p></li>
Expand Down Expand Up @@ -55565,6 +55564,16 @@ interface <dfn>Window</dfn> {
attribute is used to enable pages on different hosts of a domain to
access each others' DOMs.</p>

<p class="warning">Do not use the <code
title="dom-document-domain">document.domain</code> attribute when
using shared hosting. If an untrusted third party is able to host an
HTTP server at the same IP address but on a different port, then the
same-origin protection that normally protects two different sites on
the same host will fail, as the ports are ignored when comparing
origins after the <code
title="dom-document-domain">document.domain</code> attribute has
been used.</p>



<h3 id="scripting">Scripting</h3>
Expand Down

0 comments on commit a7708bf

Please sign in to comment.