Various updates to the document.domain section #5714
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Expand the previous warning, and make it more prominent. Closes #5128. * Update the algorithm steps to modern Web IDL style. * Update the domintro by incorporating the note on what it does, and describing failure cases in more detail. * Move the helper algorithm below the getter/setter steps.
domenic
added
removal/deprecation
3 tasks
annevk
approved these changes
Jul 9, 2020
| <p>In sandboxed <code>iframe</code>s, <code>Document</code>s with <span | ||
| data-x="concept-origin-opaque">opaque origins</span>, <code>Document</code>s without a <span | ||
| data-x="concept-document-bc">browsing context</span>, and when the "<code | ||
| data-x="document-domain-feature">document-domain</code>" feature is disabled, the setter will |
There was a problem hiding this comment.
"feature" here might get out-of-date quickly. Also not entirely sure we'd keep this as a Permissions Policy thing.
There was a problem hiding this comment.
I guess this doesn't need any changes due to the rename; it's still a "feature" (at least until https://github.com/w3c/webappsec-feature-policy/issues/369 gets settled).
| data-x="dom-document-domain">document.domain</code> setter has been used.</p> | ||
|
|
||
| <p>Because of these security pitfalls, this feature is in the process of being removed from the | ||
| Web platform. (This is a long process that takes many years.)</p> |
There was a problem hiding this comment.
HTML uppercases Web (248 instances currently; probably some false positives). Including in other "in the process of being removed from the Web platform".
I'm happy to change this here though if you'd prefer to just kind of change the casing as we edit nearby areas, but that might get confusing...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Expand the previous warning, and make it more prominent. Closes Discourage use of document.domain #5128.
Update the algorithm steps to modern Web IDL style.
Update the domintro by incorporating the note on what it does, and
describing failure cases in more detail.
Move the helper algorithm below the getter/setter steps.
I'm not convinced that spelling out all the exception cases in the domintro is worth it. However, I thought noting that it fails for crossOriginIsolated (and soon, originIsolated) cases was important, and just talking about sandboxed iframes felt incomplete. Thoughts welcome.
I also welcome suggestions on ways to scare people off more convincingly. I may have over-focused on preserving the shared-hosting/different-ports example.
Finally, it might be worth mentioning that it doesn't work on subdomains of public suffixes? I dunno.
I'd like to get this merged relatively soon so that I can rebase origin isolation on top of it.
/origin.html ( diff )