saving stupid coders, so hard work..

I'm not going to tell you where this code lives – but as a general rule, please don't do such things:

if (location.search)
{
	document.domain = decodeURIComponent(location.search.split("?").pop());
}

Sigh. Can you imagine how much work us poor browser vendors have to do to protect people who try really hard to write insecure code? This website gives any potential attacker complete control over its security context – the only defence is the browser vendors' algorithms to catch invalid document.domain values. Luckily, these algorithms have improved over time – to rescue people writing such scripts from their own stupidity – and it seems tricks like setting document.domain to .com. are now outlawed in current browsers.

I'm not kidding when I say it's hard to determine if something is a valid value for document.domain. It may seem easy – setting it to example.com on http://www.example.com should be allowed (because "example.com" is the site itself) but setting it to .com should be disallowed (because this is just the top-level domain, TLD for short). But actually, it is a complex issue all browser vendors have to deal with.

The problem boils down to: how do we know what part of a server name is a TLD? Can you guess from a quick look what part of http://www.deichmanske-bibliotek.oslo.kommune.no, http://www.metro.tokyo.jp and http://www.pref.hiroshima.lg.jp is a TLD? There are more complex examples too..

So if you really need to set document.domain – please do so responsibly! Us browser vendors have been trying really hard, but I have no idea if our logic is good enough to rescue you if you run such code on a domain with complex TLDs! And if it isn't, the site you've built is wide open for any sort of malicious scripting attacks from all other sites on the same top-level domain.

Advertisements

5 thoughts on “saving stupid coders, so hard work..

  1. Originally posted by hallvors:

    I'm not going to tell you where this code lives

    But Google does, and it lives in a couple places.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s