HTML Standard Tracker

Diff (omit for latest revision)

Short URL:

File a bug

SVNBugCommentTime (UTC)
3879[Authors] Warn about document.domain on shared hosting.2009-09-16 22:47
Index: source
--- source	(revision 3878)
+++ source	(revision 3879)
@@ -53988,9 +53988,8 @@
    <li><p>If the <span>parent browsing context</span>'s <span>active
    document</span> does not have the <span>same</span> <span>effective
-   script origin</span> as the script that is accessing the <code
-   title="dom-frameElement">frameElement</code> attribute, then throw
-   a <code>SECURITY_ERR</code> exception.</p></li>
+   script origin</span> as the <span>first script</span>, then throw a
+   <code>SECURITY_ERR</code> exception.</p></li>
    <li><p>Otherwise, return the <span>browsing context
    container</span> for <var title="">b</var>.</p></li>
@@ -55565,8 +55564,18 @@
   attribute is used to enable pages on different hosts of a domain to
   access each others' DOMs.</p>
+  <p class="warning">Do not use the <code
+  title="dom-document-domain">document.domain</code> attribute when
+  using shared hosting. If an untrusted third party is able to host an
+  HTTP server at the same IP address but on a different port, then the
+  same-origin protection that normally protects two different sites on
+  the same host will fail, as the ports are ignored when comparing
+  origins after the <code
+  title="dom-document-domain">document.domain</code> attribute has
+  been used.</p>
   <h3 id="scripting">Scripting</h3>