Closed Bug 264581 Opened 21 years ago Closed 21 years ago

Identical domains with different ports are considered cross-domain [same-origin policy]

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Version:
1.7 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kiddailey, Assigned: dveditz)

Details

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9 Build Identifier: Domains that are identical but with different ports are considered unsafe cross-domains resulting in permission denied errors in the JS console when attempting to access functions/variables/etc from one page/frame/window to another. For example, these two domains are treated as unsafe to communicate with each other: http://www.example.com and http://www.example.com:8080 Reproducible: Always Steps to Reproduce: Actual Results: Sample JS Console Error: "Error: uncaught exception: Permission denied to set property Window.myVariable In this particular case, we have a media server that delivers streaming interactive content within an IFRAME. The media server and web server reside on the same box but at different ports. The content itself sends a flag to the parent window where the IFRAME is embedded and a Javascript function handles control thereafter. This works fine in other browsers like IE/Safari/Opera.
After digging around in the existing bugs for some time, I discovered this entry that might be related: https://bugzilla.mozilla.org/show_bug.cgi?id=264491
This is intentional and documented at http://www.mozilla.org/projects/security/components/same-origin.html. I don't remember the reason.
Assignee: firefox → dveditz
Component: General → Security: CAPS
Product: Firefox → Browser
QA Contact: firefox.general
Summary: Identical domains with different ports are considered cross-domain within Javascript → Identical domains with different ports are considered cross-domain [same-origin policy]
Version: unspecified → 1.7 Branch
Thanks Jesse - I looked for that and couldn't find it anywhere. The document.domain workaround solves the problem quite nicely.
The reason is that some sites run unrelated servers on different ports (campus networks, etc). Cookies are shared (unfortunately, but that was baked in pretty early), and sites can declare through document.domain that they really are the same.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.