On Sat, 22 Sep 2007 05:28:13 +0200, Maciej Stachowiak <[EMAIL PROTECTED]>
wrote:
I think HTML5 needs to define this as my understanding is that
document.domain is also relevant in deciding whether or not a request
is same-origin. I'm not sure if that's happening soon though.
I don't think document.domain would apply when determining same origin
for XMLHttpRequest.
This is actually supported in Opera, XHR is allowed to both original
hostname and document.domain . So this won't show an alert on
http://www.example.org/ :
javascript: document.domain='example.org';var x; try{(x=new
XMLHttpRequest()).open('GET', 'http://example.org/',
true);void(x.send(null));}catch(e){ alert(e);}
(This was implemented on suggestions from live.com )
Note that document.domain (when set by both source and target frame)
also lets you ignore port and protocol differences, which once again is
not desirable for XHR.
I know we ignore port differences but I don't think we ignore protocol.
Are you saying that Safari lets https://secure.example.org/ talk to
http://www.example.org if they both set document.domain to example.org ?
--
Hallvord R. M. Steen
Core QA JavaScript tester, Opera Software
http://www.opera.com/
Opera - simply the best Internet experience
