Security 2025 chapter edits#4357
Conversation
Refine language and improve clarity in security.md up to section on "keywords for script-src"
tunetheweb
changed the title
| #### Use of `document.domain` | ||
|
|
||
| By using [`document.domain`](https://developer.mozilla.org/docs/Web/API/Document/domain), a developer was able to read the domain portion of the current document, as well as set a new domain (only superdomains of the current domain are allowed), after which the browser will use the new domain as origin for the same-origin policy checks. However, the use of this property is now deprecated and browsers may stop supporting the property soon. | ||
| By using [`document.domain`](https://developer.mozilla.org/docs/Web/API/Document/domain), a developer is able to read the domain portion of the current document, as well as set a new domain (only subdomains of the current domain are allowed), after which the browser will use the new domain as origin for the same-origin policy checks. However, the use of this property is now deprecated and browsers may stop supporting the property soon. |
There was a problem hiding this comment.
I'm not sure about this change. I think superdomain was intentional.
https://developer.mozilla.org/en-US/docs/Web/API/Document/domain#setting_the_domain
It can only be set to the same or a parent domain. For example, if https://a.example.com and https://b.example.com both use
document.domain = "example.com";then they have both modified their origin to have the same domain, and they can now access each other's DOM directly—despite being cross-origin, which would normally prevent such access.
Maybe should be more explicit (like MDN is) in case others think this is a typo?
There was a problem hiding this comment.
tbh I wasn't sure either but I saw no mention of "superdomain" in the MDN page which led me to believe subdomain may have been intended here. Who can we double check with on this one?
There was a problem hiding this comment.
But I'm pretty confident they meant superdomain so let's revert to that for now:
| By using [`document.domain`](https://developer.mozilla.org/docs/Web/API/Document/domain), a developer is able to read the domain portion of the current document, as well as set a new domain (only subdomains of the current domain are allowed), after which the browser will use the new domain as origin for the same-origin policy checks. However, the use of this property is now deprecated and browsers may stop supporting the property soon. | |
| By using [`document.domain`](https://developer.mozilla.org/docs/Web/API/Document/domain), a developer is able to read the domain portion of the current document, as well as set a new domain (only superdomains of the current domain are allowed), after which the browser will use the new domain as origin for the same-origin policy checks. However, the use of this property is now deprecated and browsers may stop supporting the property soon. |
There was a problem hiding this comment.
Yes, this is superdomain. Although maybe we can rephrase to more explicitly include the same domain as well?
From the linked MDN document:
...
It can only be set to the same or a parent domain. For example, if https://a.example.com and https://b.example.com both use
document.domain = "example.com";
then they have both modified their origin to have the same domain, and they can now access each other's DOM directly
...
There was a problem hiding this comment.
Lets leave as is and merge this.
Co-authored-by: Barry Pollard <barrypollard@google.com>
Co-authored-by: Barry Pollard <barrypollard@google.com>
Co-authored-by: Barry Pollard <barrypollard@google.com>
3 participants
Refine language and improve clarity in security.md