Skip to content
By using Twitter’s services you agree to our Cookies Use. We and our partners operate globally and use cookies, including for analytics, personalisation, and ads.

For the best Twitter experience, please use Microsoft Edge, or install the Twitter app from Microsoft Store.

  • Home Home Home, current page.
  • About

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?

    New to Twitter?
    Sign up
zcorpan's profile
Simon Pieters
Simon Pieters
Simon Pieters
@zcorpan

Tweets

Simon Pieters

@zcorpan

I work for @bocoup on web standards and testing the web platform to foster interoperability between web browsers. Author of @htmlparserbook

Sweden
htmlparser.info
Joined March 2010

Tweets

  • © 2020 Twitter
  • About
  • Help Center
  • Terms
  • Privacy policy
  • Imprint
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @

Promote this Tweet

Block

  • Tweet with a location

    You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more

    Your lists

    Create a new list


    Under 100 characters, optional

    Privacy

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.

    Preview

    Why you're seeing this ad

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Welcome home!

    This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.

    Tweets not working for you?

    Hover over the profile pic and click the Following button to unfollow any account.

    Say a lot with a little

    When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.

    Spread the word

    The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.

    Join the conversation

    Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.

    Learn the latest

    Get instant insight into what people are talking about now.

    Get more of what you love

    Follow more accounts to get instant updates about topics you care about.

    Find what's happening

    See the latest conversations about any topic instantly.

    Never miss a Moment

    Catch up instantly on the best stories happening as they unfold.

    Simon Pieters‏ @zcorpan 6 Dec 2019
    • Report Tweet

    What is document.domain? What does it do? Why is it bad? (Thread)

    6:31 AM - 6 Dec 2019
    • 35 Retweets
    • 91 Likes
    • Takayoshi Kochi Marco Squarcina Ionuț Ambrosie Ishaq Mohammed Grey Hat Hacking dmw Manish Kumar Gupta Chris Peterson Jake Hamby
    3 replies 35 retweets 91 likes
      1. New conversation
      2. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        document.domain can be *set*, to *change* the origin!

        1 reply 0 retweets 8 likes
        Show this thread
      3. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        You can set it to a parent domain. If a.example.test and b.example.test (normally cross-origin) both set it to "example.test", they can now access each others DOM directly.

        1 reply 0 retweets 3 likes
        Show this thread
      4. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        You can also set it to the same domain it already is, but this is not a no-op. It still changes the origin. https://html.spec.whatwg.org/multipage/origin.html#dom-document-domain …

        1 reply 0 retweets 4 likes
        Show this thread
      5. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        Why is it bad? It complicates the origin model in browsers; more complexity leads to more interop problems and more security bugs.

        1 reply 0 retweets 3 likes
        Show this thread
      6. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        Using it for one use case opens up access for all subdomains, which might not be intentional or desirable.

        1 reply 0 retweets 2 likes
        Show this thread
      7. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        APIs need to decide if they should use a normal origin check, or the special origin-domain check that takes into account document.domain mutation. https://html.spec.whatwg.org/multipage/origin.html#concept-origin-domain …

        1 reply 0 retweets 2 likes
        Show this thread
      8. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        Another aspect is that origin-domain check can ignore the port, so https://staging.example.test:8000 can access https://example.test if they both set document.domain = "example.test"

        1 reply 0 retweets 4 likes
        Show this thread
      9. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        .@annevk said "mutable global policies/state is/are bad, thank you for coming to my ted talk"

        1 reply 1 retweet 7 likes
        Show this thread
      10. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        What should you use instead? Generally, window.postMessage(). Send a message with an ask of what you want the other origin to do. Before acting, check the event's .origin!

        1 reply 1 retweet 6 likes
        Show this thread
      11. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        If you want to enable access to image data, you can set the appropriate CORS headers and let the other origin fetch the image.

        1 reply 1 retweet 4 likes
        Show this thread
      12. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        This way, access is more controlled. You don't give DOM access to everything for all subdomains, all ports.

        1 reply 0 retweets 3 likes
        Show this thread
      13. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        You can use Feature Policy to disable setting document.domain. Feature-Policy: document-domain 'none' or <iframe allow="document-domain 'none'">

        2 replies 3 retweets 11 likes
        Show this thread
      14. Simon Pieters‏ @zcorpan 6 Dec 2019
        • Report Tweet

        Simon Pieters Retweeted Simon Pieters

        Related:https://twitter.com/zcorpan/status/1202500952063954945 …

        Simon Pieters added,

        Simon Pieters @zcorpan
        Can we collectively drive down this use counter? Don't use document.domain https://chromestatus.com/metrics/feature/timeline/popularity/2544 …
        0 replies 0 retweets 3 likes
        Show this thread
      15. End of conversation

    Loading seems to be taking a while.

    Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

      Promoted Tweet

      false

      • © 2020 Twitter
      • About
      • Help Center
      • Terms
      • Privacy policy
      • Imprint
      • Cookies
      • Ads info