Twitter | Pretraživanje | |
Simon Pieters
What is document.domain? What does it do? Why is it bad? (Thread)
Reply Retweet Označi sa "sviđa mi se" More
Simon Pieters 6. pro
Odgovor korisniku/ci @zcorpan
document.domain can be *set*, to *change* the origin!
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @zcorpan
You can set it to a parent domain. If a.example.test and b.example.test (normally cross-origin) both set it to "example.test", they can now access each others DOM directly.
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @zcorpan
You can also set it to the same domain it already is, but this is not a no-op. It still changes the origin.
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @zcorpan
Why is it bad? It complicates the origin model in browsers; more complexity leads to more interop problems and more security bugs.
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @zcorpan
Using it for one use case opens up access for all subdomains, which might not be intentional or desirable.
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @zcorpan
APIs need to decide if they should use a normal origin check, or the special origin-domain check that takes into account document.domain mutation.
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @zcorpan
Another aspect is that origin-domain check can ignore the port, so https://staging.example.test:8000 can access https://example.test if they both set document.domain = "example.test"
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @annevk
. said "mutable global policies/state is/are bad, thank you for coming to my ted talk"
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @annevk
What should you use instead? Generally, window.postMessage(). Send a message with an ask of what you want the other origin to do. Before acting, check the event's .origin!
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @annevk
If you want to enable access to image data, you can set the appropriate CORS headers and let the other origin fetch the image.
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @annevk
This way, access is more controlled. You don't give DOM access to everything for all subdomains, all ports.
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @annevk
You can use Feature Policy to disable setting document.domain. Feature-Policy: document-domain 'none' or <iframe allow="document-domain 'none'">
Reply Retweet Označi sa "sviđa mi se"
Simon Pieters 6. pro
Odgovor korisniku/ci @annevk
Reply Retweet Označi sa "sviđa mi se"