What is document.domain? What does it do? Why is it bad? (Thread)
-
-
Another aspect is that origin-domain check can ignore the port, so https://staging.example.test:8000 can access https://example.test if they both set document.domain = "example.test"
Prikaži ovu nit -
.
@annevk said "mutable global policies/state is/are bad, thank you for coming to my ted talk"Prikaži ovu nit -
What should you use instead? Generally, window.postMessage(). Send a message with an ask of what you want the other origin to do. Before acting, check the event's .origin!
Prikaži ovu nit -
If you want to enable access to image data, you can set the appropriate CORS headers and let the other origin fetch the image.
Prikaži ovu nit -
This way, access is more controlled. You don't give DOM access to everything for all subdomains, all ports.
Prikaži ovu nit -
You can use Feature Policy to disable setting document.domain. Feature-Policy: document-domain 'none' or <iframe allow="document-domain 'none'">
Prikaži ovu nit -
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.