HTML Standard Tracker


File a bug

SVNBugCommentTime (UTC)
3879[Authors] Warn about document.domain on shared hosting.2009-09-16 22:47
@@ -53981,23 +53981,22 @@ document.body.appendChild(outer);</pre>
   the following algorithm:</p>
    <li><p>If <var title="">d</var> is not a <code>Document</code> in a
    <span>child browsing context</span>, return null and abort these
    <li><p>If the <span>parent browsing context</span>'s <span>active
    document</span> does not have the <span>same</span> <span>effective
-   script origin</span> as the script that is accessing the <code
-   title="dom-frameElement">frameElement</code> attribute, then throw
-   a <code>SECURITY_ERR</code> exception.</p></li>
+   script origin</span> as the <span>first script</span>, then throw a
+   <code>SECURITY_ERR</code> exception.</p></li>
    <li><p>Otherwise, return the <span>browsing context
    container</span> for <var title="">b</var>.</p></li>
@@ -55558,20 +55557,30 @@ interface <dfn>Window</dfn> {
   <code>Document</code> is the host part of the document's
   <span>origin</span>, if that is a scheme/host/port tuple. If it
   isn't, then the document does not have a domain.</p>
   <p class="note">The <code title="dom-document-domain">domain</code>
   attribute is used to enable pages on different hosts of a domain to
   access each others' DOMs.</p>
+  <p class="warning">Do not use the <code
+  title="dom-document-domain">document.domain</code> attribute when
+  using shared hosting. If an untrusted third party is able to host an
+  HTTP server at the same IP address but on a different port, then the
+  same-origin protection that normally protects two different sites on
+  the same host will fail, as the ports are ignored when comparing
+  origins after the <code
+  title="dom-document-domain">document.domain</code> attribute has
+  been used.</p>
   <h3 id="scripting">Scripting</h3>
   <p>Various mechanisms can cause author-provided executable code to
   run in the context of a document. These mechanisms include, but are
   probably not limited to:</p>