BroadcastChannel, IndexedDB, etc. don't respect document.domain
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: f2424880, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Steps to reproduce:
On two different hosts at the same domain, e.g.
https://store.example.com
https://blog.example.com
Run the following script (you can use the console):
document.domain = "example.com";
var myChannel = new new BroadcastChannel("My_Channel_Name");
myChannel.onmessage = function(e){ alert(e.data); };
And then in either window, run:
myChannel.postMessage("Hi there!");
Actual results:
No message is received by the other window.
Expected results:
I would have expected that (a) because document.domain was set to the same value for both windows, they'd be considered same-origin, and (b) that therefore BroadcastChannel messages would be passed between them.
However if the current behavior is the correct one according to spec (I tried reading the spec, but it still isn't clear to me), then at least the docs need updating or clarification, because this page:
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin
Suggests changing document.domain affects the origin for same-origin checks, and this page:
https://developer.mozilla.org/en-US/docs/Web/API/BroadcastChannel
States that BroadcastChannel can sends messages between any same-origin windows.
Taken together this has the implication that changing document.domain should affect the scope of BroadcastChannel accordingly, which it doesn't currently.
And if it should, then the documentation should also answer the question of what happens if document.domain is changed after a BroadcastChannel object is created - i.e. does the BroadcastChannel track the current document.domain, or does it retain the origin it had at the time of creation?
Finally, while it's a bit outside the scope of this bug report, I'd note that sending BroadcastChannel messages between different hosts on the same domain is certainly something web authors would want to be able to do! So if the spec currently doesn't allow that, perhaps I could suggest adding an extra domain parameter to the BroadcastChannel constructor, so that you could write, e.g.:
myChannel = new new BroadcastChannel("My_Channel_Name", "example.com");
to ensure you create a channel that can send messages between windows from https://foo.example.com and https://bar.example.com?
(In reply to Dean from comment #0)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Steps to reproduce:
On two different hosts at the same domain, e.g.
https://store.example.com
https://blog.example.comRun the following script (you can use the console):
document.domain = "example.com"; var myChannel = new new BroadcastChannel("My_Channel_Name"); myChannel.onmessage = function(e){ alert(e.data); };And then in either window, run:
myChannel.postMessage("Hi there!");Actual results:
No message is received by the other window.
Expected results:
I would have expected that (a) because document.domain was set to the same value for both windows, they'd be considered same-origin, and (b) that therefore BroadcastChannel messages would be passed between them.
However if the current behavior is the correct one according to spec (I tried reading the spec, but it still isn't clear to me), then at least the docs need updating or clarification, because this page:
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin
Suggests changing document.domain affects the origin for same-origin checks, and this page:
https://developer.mozilla.org/en-US/docs/Web/API/BroadcastChannel
States that BroadcastChannel can sends messages between any same-origin windows.
Taken together this has the implication that changing document.domain should affect the scope of BroadcastChannel accordingly, which it doesn't currently.
And if it should, then the documentation should also answer the question of what happens if document.domain is changed after a BroadcastChannel object is created - i.e. does the BroadcastChannel track the current document.domain, or does it retain the origin it had at the time of creation?Finally, while it's a bit outside the scope of this bug report, I'd note that sending BroadcastChannel messages between different hosts on the same domain is certainly something web authors would want to be able to do! So if the spec currently doesn't allow that, perhaps I could suggest adding an extra domain parameter to the BroadcastChannel constructor, so that you could write, e.g.:
myChannel = new BroadcastChannel("My_Channel_Name", "example.com");to ensure you create a channel that can send messages between windows from https://foo.example.com and https://bar.example.com?
|
||
Comment 2•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
This affects IndexedDB as well as BroadcastChannel:
www.example.com and store.example.com don't share IndexedDB data, even if you set document.domain = "example.com"; on both pages prior to opening the databases.
|
||
Comment 5•5 years ago
|
||
I suggest raising this on https://github.com/mdn/sprints as that's the place for documentation issues. But briefly, there's a significant difference between "same origin" and "same origin-domain". Only the latter accounts for document.domain changes to an origin. And in practice no new features will use "same origin-domain" as it's a significant barrier to a more secure web.
OK, I raised this as a documentation issue on github: https://github.com/mdn/sprints/issues/3637
Description
•