[Webkit-unassigned] [Bug 16192] Support TLD check when changing document.domain

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 16 17:47:59 PDT 2008


hk9565 at gmail.com changed:

           What    |Removed                     |Added
                 CC|                            |hk9565 at gmail.com

------- Comment #2 from hk9565 at gmail.com  2008-04-16 17:47 PDT -------
Setting your document.domain to "com" or "" will let almost every web site
access your DOM, cookies, etc, by setting their document.domain to the same
value.  Internet Explorer and Firefox prevent web sites from setting their
document.domain shorter than an effective TLD + 1 or a "registry controlled"
domain.  For example, stanford.facebook.com can set its document.domain to
"facebook.com" but not to "com".  Also, www.hbc.co.uk can set its
document.domain to "hbc.co.uk" but not to "co.uk" or to "uk".

This restriction is more to prevent web sites from shooting themselves in the
foot than to prevent any particular attack.

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list