document.domain can be *set*, to *change* the origin!
-
-
-
You can set it to a parent domain. If a.example.test and b.example.test (normally cross-origin) both set it to "example.test", they can now access each others DOM directly.
Show this thread -
You can also set it to the same domain it already is, but this is not a no-op. It still changes the origin. https://html.spec.whatwg.org/multipage/origin.html#dom-document-domain …
Show this thread -
Why is it bad? It complicates the origin model in browsers; more complexity leads to more interop problems and more security bugs.
Show this thread -
Using it for one use case opens up access for all subdomains, which might not be intentional or desirable.
Show this thread -
APIs need to decide if they should use a normal origin check, or the special origin-domain check that takes into account document.domain mutation. https://html.spec.whatwg.org/multipage/origin.html#concept-origin-domain …
Show this thread -
Another aspect is that origin-domain check can ignore the port, so https://staging.example.test:8000 can access https://example.test if they both set document.domain = "example.test"
Show this thread -
.
@annevk said "mutable global policies/state is/are bad, thank you for coming to my ted talk"Show this thread -
What should you use instead? Generally, window.postMessage(). Send a message with an ask of what you want the other origin to do. Before acting, check the event's .origin!
Show this thread -
If you want to enable access to image data, you can set the appropriate CORS headers and let the other origin fetch the image.
Show this thread -
This way, access is more controlled. You don't give DOM access to everything for all subdomains, all ports.
Show this thread -
You can use Feature Policy to disable setting document.domain. Feature-Policy: document-domain 'none' or <iframe allow="document-domain 'none'">
Show this thread -
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.