What is document.domain? What does it do? Why is it bad? (Thread)
-
-
You can also set it to the same domain it already is, but this is not a no-op. It still changes the origin. https://html.spec.whatwg.org/multipage/origin.html#dom-document-domain …
Prikaži ovu nit -
Why is it bad? It complicates the origin model in browsers; more complexity leads to more interop problems and more security bugs.
Prikaži ovu nit -
Using it for one use case opens up access for all subdomains, which might not be intentional or desirable.
Prikaži ovu nit -
APIs need to decide if they should use a normal origin check, or the special origin-domain check that takes into account document.domain mutation. https://html.spec.whatwg.org/multipage/origin.html#concept-origin-domain …
Prikaži ovu nit -
Another aspect is that origin-domain check can ignore the port, so https://staging.example.test:8000 can access https://example.test if they both set document.domain = "example.test"
Prikaži ovu nit -
.
@annevk said "mutable global policies/state is/are bad, thank you for coming to my ted talk"Prikaži ovu nit -
What should you use instead? Generally, window.postMessage(). Send a message with an ask of what you want the other origin to do. Before acting, check the event's .origin!
Prikaži ovu nit -
If you want to enable access to image data, you can set the appropriate CORS headers and let the other origin fetch the image.
Prikaži ovu nit -
This way, access is more controlled. You don't give DOM access to everything for all subdomains, all ports.
Prikaži ovu nit -
You can use Feature Policy to disable setting document.domain. Feature-Policy: document-domain 'none' or <iframe allow="document-domain 'none'">
Prikaži ovu nit -
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.