Our definition of an "origin" for security purposes is scheme://host:port. A content developer has the option of widening this definition by assigning to document.domain. THey should also be able to narrow it to a specific directory or even a specific file within a host. This will be useful, for example, on geocities.com, where content from the same host actually has many different owners. Narrowing the domain would allow an author who posts to GeoCities to prevent other GeoCities pages from accessing the author's page.
This is an enhancement. marking Future.
Status: NEW → ASSIGNED
Target Milestone: --- → Future
Setting document.domain is great for expanding trust, but it seems to me that restricting access should be done by an HTTP header, which the server has more control over. Wouldn't allowing document.domain to restrict access set up a race condition between the page's setting document.domain and the attacker's trying to access the page? Interestingly, GeoCities' 404 page displays the input url without escaping it (http://www.cert.org/advisories/CA-2000-02.html). I wonder if they se this up on purpose in order to remind paranoid users of the problem mentioned in this bug report.
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
See also bug 64886.
Target is now 0.9.5, Priority P2.
Priority: P3 → P2
Target Milestone: Future → mozilla0.9.5
time marches on...retargeting to 0.9.6
Target Milestone: mozilla0.9.5 → mozilla0.9.6
I don't think this will work as proposed, because of what Jesse mentioned, but alternatively, it would be good if we could configure the security manager to treat directories at a particular depth to be considered separate hosts. This would solve the GeoCities problem. Changing summary.
Summary: Using document.domain to narrow the domain → Ability to restrict domain to a directory
Target Milestone: mozilla0.9.6 → Future
Summary: Ability to restrict domain to a directory → Ability to restrict domain to a directory (document.domain or http header)
Assignee: security-bugs → dveditz
Status: ASSIGNED → NEW
QA Contact: ckritzer → caps
Is this bug still relevant?
The idea is still relevant, but we don't need to track it in a Gecko bug. (And it should certainly not involve document.domain.)
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.