New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement document.domain #934
Comments
Actually, need to neuter indexed/named access to subframes too. Or make it async. Or something. |
And in particular, if that access gets you a same-origin frame, there's a possible problem |
Test that MediaControllers use the same task source when firing events
Visiting for triage: as of today, this is still not done
|
Fixed by #8655. |
I think the document.domain setter is still missing. |
Some discussion on IRC with @bzbarsky that's relevant to mutating |
A first-cut implementation for the setter: asajeffrey@7aaa5c6 |
A PR for the setter: #15536. |
Implement setter for document.domain <!-- Please describe your changes on the following line: --> This PR implements the setter for `document.domain`. It builds on #15438 and #15478, only the last commit is part of this PR. It includes tests for similar-origin security checks. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #934. - [X] There are tests for these changes. <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/15536) <!-- Reviewable:end -->
Implement setter for document.domain <!-- Please describe your changes on the following line: --> This PR implements the setter for `document.domain`. It builds on #15438 and #15478, only the last commit is part of this PR. It includes tests for similar-origin security checks. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #934. - [X] There are tests for these changes. <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/15536) <!-- Reviewable:end -->
This is related to #633.
document.domain changes the origin of a document. Any current and coming optimizations based on the assumption that the origin of a document not changing over time like the recent Make sandboxed iframes run with different script tasks may require removing these optimizations later.
For that reason, I feel it'd be important to implement document.domain early and start using it in Servo tests to make sure Servo is actually running the web and not an idealized version
For the specific case of sandbox iframes and document.domain, it's been discussed in standards, there was agreement among the few who participated in the discussion and a solution has been implemented in Firefox (poison document.domain setter in sandboxed iframes regardless of
allow-same-origin
).Assuming this sticks, this particular optimization will remain.
The text was updated successfully, but these errors were encountered: