Permalink
Browse files

[a] (0) Warn about document.domain on shared hosting.

git-svn-id: http://svn.whatwg.org/webapps@3879 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
1 parent f5733d1 commit a7708bf98ce81b777504f5c27ac527f72884db8d @Hixie Hixie committed Sep 16, 2009
Showing with 20 additions and 3 deletions.
  1. +8 −0 index
  2. +12 −3 source
View
8 index
@@ -49239,6 +49239,14 @@ interface <dfn id=window>Window</dfn> {
attribute is used to enable pages on different hosts of a domain to
access each others' DOMs.</p>
+ <p class=warning>Do not use the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> attribute when
+ using shared hosting. If an untrusted third party is able to host an
+ HTTP server at the same IP address but on a different port, then the
+ same-origin protection that normally protects two different sites on
+ the same host will fail, as the ports are ignored when comparing
+ origins after the <code title=dom-document-domain><a href=#dom-document-domain>document.domain</a></code> attribute has
+ been used.</p>
+
<h3 id=scripting><span class=secno>6.5 </span>Scripting</h3>
View
15 source
@@ -53988,9 +53988,8 @@ document.body.appendChild(outer);</pre>
<li><p>If the <span>parent browsing context</span>'s <span>active
document</span> does not have the <span>same</span> <span>effective
- script origin</span> as the script that is accessing the <code
- title="dom-frameElement">frameElement</code> attribute, then throw
- a <code>SECURITY_ERR</code> exception.</p></li>
+ script origin</span> as the <span>first script</span>, then throw a
+ <code>SECURITY_ERR</code> exception.</p></li>
<li><p>Otherwise, return the <span>browsing context
container</span> for <var title="">b</var>.</p></li>
@@ -55565,6 +55564,16 @@ interface <dfn>Window</dfn> {
attribute is used to enable pages on different hosts of a domain to
access each others' DOMs.</p>
+ <p class="warning">Do not use the <code
+ title="dom-document-domain">document.domain</code> attribute when
+ using shared hosting. If an untrusted third party is able to host an
+ HTTP server at the same IP address but on a different port, then the
+ same-origin protection that normally protects two different sites on
+ the same host will fail, as the ports are ignored when comparing
+ origins after the <code
+ title="dom-document-domain">document.domain</code> attribute has
+ been used.</p>
+
<h3 id="scripting">Scripting</h3>

0 comments on commit a7708bf

Please sign in to comment.