[Webkit-unassigned] [Bug 16192] Support TLD check when changing document.domain
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 16 17:47:59 PDT 2008
http://bugs.webkit.org/show_bug.cgi?id=16192
hk9565 at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hk9565 at gmail.com
------- Comment #2 from hk9565 at gmail.com 2008-04-16 17:47 PDT -------
Setting your document.domain to "com" or "" will let almost every web site
access your DOM, cookies, etc, by setting their document.domain to the same
value. Internet Explorer and Firefox prevent web sites from setting their
document.domain shorter than an effective TLD + 1 or a "registry controlled"
domain. For example, stanford.facebook.com can set its document.domain to
"facebook.com" but not to "com". Also, www.hbc.co.uk can set its
document.domain to "hbc.co.uk" but not to "co.uk" or to "uk".
This restriction is more to prevent web sites from shooting themselves in the
foot than to prevent any particular attack.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list