Boris Zbarsky wrote:
Anne van Kesteren wrote:
I think HTML5 needs to define this as my understanding is that
document.domain is also relevant in deciding whether or not a request
is same-origin.
Actually, I don't think it is. I know IE and Gecko ignore
document.domain for the existing same-origin checks... Gecko used to
take it into account, but of course that broke sites given that IE
ignores it.
Taking document.domain into account when doing same-origin network
activity would infact be unsafe. Otherwise content at people.example.edu
would be able to load data from example.edu which might not be safe.
In fact, in order for people.example.edu to talk to example.edu, *both*
sites must explicitly have set document.domain to example.edu. This is
of course not something that can happen before a network request, as the
requested site has no way of setting document.domain.
Not sure how things originally worked when document.domain was
implemented many moons ago, but at this point all vendors have fixed
this issue.
/ Jonas
