On Sep 21, 2007, at 3:34 AM, Anne van Kesteren wrote:
On Wed, 29 Aug 2007 05:04:24 +0200, Maciej Stachowiak
<[EMAIL PROTECTED]> wrote:
Since this affects interoperability as well as security I would
suggest adding a definition, unless the spec expected to define
same-origin is going to happen soon.
I think HTML5 needs to define this as my understanding is that
document.domain is also relevant in deciding whether or not a
request is same-origin. I'm not sure if that's happening soon though.
I don't think document.domain would apply when determining same origin
for XMLHttpRequest. document.domain only relaxes access rules if both
the source and target frame set document.domain. This prevents
foo.bar.com from unilaterally deciding it should have access to a
bar.com subframe. But there is no target frame in the case of
XMLHttpRequest, so this can't apply. Note that document.domain (when
set by both source and target frame) also lets you ignore port and
protocol differences, which once again is not desirable for XHR.
Regards,
Maciej
