document.domain can be *set*, to *change* the origin!
-
-
You can set it to a parent domain. If a.example.test and b.example.test (normally cross-origin) both set it to "example.test", they can now access each others DOM directly.
1 reply 0 proslijeđenih tweetova 3 korisnika označavaju da im se sviđaPrikaži ovu nit -
You can also set it to the same domain it already is, but this is not a no-op. It still changes the origin. https://html.spec.whatwg.org/multipage/origin.html#dom-document-domain …
1 reply 0 proslijeđenih tweetova 4 korisnika označavaju da im se sviđaPrikaži ovu nit -
Why is it bad? It complicates the origin model in browsers; more complexity leads to more interop problems and more security bugs.
1 reply 0 proslijeđenih tweetova 3 korisnika označavaju da im se sviđaPrikaži ovu nit -
Using it for one use case opens up access for all subdomains, which might not be intentional or desirable.
1 reply 0 proslijeđenih tweetova 2 korisnika označavaju da im se sviđaPrikaži ovu nit -
APIs need to decide if they should use a normal origin check, or the special origin-domain check that takes into account document.domain mutation. https://html.spec.whatwg.org/multipage/origin.html#concept-origin-domain …
1 reply 0 proslijeđenih tweetova 2 korisnika označavaju da im se sviđaPrikaži ovu nit -
Another aspect is that origin-domain check can ignore the port, so https://staging.example.test:8000 can access https://example.test if they both set document.domain = "example.test"
1 reply 0 proslijeđenih tweetova 4 korisnika označavaju da im se sviđaPrikaži ovu nit -
.
@annevk said "mutable global policies/state is/are bad, thank you for coming to my ted talk"1 reply 1 proslijeđeni tweet 7 korisnika označava da im se sviđaPrikaži ovu nit -
What should you use instead? Generally, window.postMessage(). Send a message with an ask of what you want the other origin to do. Before acting, check the event's .origin!
1 reply 1 proslijeđeni tweet 6 korisnika označava da im se sviđaPrikaži ovu nit -
If you want to enable access to image data, you can set the appropriate CORS headers and let the other origin fetch the image.
1 reply 1 proslijeđeni tweet 4 korisnika označavaju da im se sviđaPrikaži ovu nit
This way, access is more controlled. You don't give DOM access to everything for all subdomains, all ports.
-
-
You can use Feature Policy to disable setting document.domain. Feature-Policy: document-domain 'none' or <iframe allow="document-domain 'none'">
3 proslijeđena tweeta 11 korisnika označava da im se sviđaPrikaži ovu nit -
Simon Pieters je proslijedio/a tweet korisnika/ceSimon Pieters
Simon Pieters je dodan/na,
0 replies 0 proslijeđenih tweetova 3 korisnika označavaju da im se sviđaPrikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.