2.Any page may set the document.domain parameter to a right-hand, fully-qualified fragment of its current host name (e.g., foo.bar.example.com may set it to example.com , but not ample.com ). If two pages explicitly and mutually set their respective document.domain parameters to the same value, and the remaining same-origin checks are satisfied, access is granted. 3.If neither of the above conditions is satisfied, access is denied. 49 © 2007-2019 Marco Papa & Ellis Horowitz
Drawbacks of Same-Origin Policy • once any two legitimate subdomains in example.com , e.g. and payments.example.com , choose to cooperate, any other resource in that domain, such as user-pages.example.com , may then set its own document.domain likewise, and arbitrarily mess with payments.example.com . This means that in many scenarios, document.domain may not be used safely at all. • Whenever document.domain cannot be used - either because pages live in completely different domains, or because of the above problem - legitimate client-side communication between, for example, embeddable page gadgets, is completely forbidden in theory, and in practice very difficult to arrange • Whenever tight integration of services within a single host name is pursued to overcome these communication problems, because of the inflexibility of same-origin checks, there is no usable method to sandbox any untrusted or particularly vulnerable content to minimize the impact of security problems. 50 © 2007-2019 Marco Papa & Ellis Horowitz
Special Cases that Are Omitted From the Policy • The document.domain behavior when hosts are addressed by IP addresses, as opposed to fully- qualified domain names, is not specified. • The document.domain behavior with extremely vague specifications (e.g., co.uk ) is not specified. • The algorithms of context inheritance for pseudo- protocol windows, such as about:blank , are not specified. • The behavior for URLs that do not meaningfully have a host name associated with them (e.g., file:// ) is not defined, causing some browsers to permit locally saved files to access every document on the disk or on the web; users are generally not aware of this risk, potentially exposing themselves. • The behavior when a single name resolves to vastly different IP addresses (for example, one on an internal network, and another on the Internet) is not specified, permitting various attacks and tricks 51 © 2007-2019 Marco Papa & Ellis Horowitz
You've reached the end of your free preview.
Want to read all 55 pages?
- Fall '07
- Ajax, Ellis Horowitz, Marco Papa