forked from GNUsocial/gnu-social
b73c162256
The Meteor realtime plugin sets document.domain to the common prefix between the main server and the Meteor server's hostnames, which overrides the same-origin controls on JavaScript DOM access so the two parts of the app can speak to each other. This unfortunately causes "fun" side effects for XMLHTTPRequest access to the main domain... if the new domain doesn't match the actual host (eg 'status.net' instead of 'brion.status.net') then we can't access the XHR's responseXML attribute, which holds a DOM tree of the parsed XML return data. As a workaround, if we can't get at the contents there, we'll parse a fresh DOM tree in the local context from the responseText property, which remains available. In the longer term, recommend retooling the realtime stuff so it's not fiddling with document.domain. It could also be an issue as it could allow local JavaScript XSS attacks to migrate to subdomains in other open windows. |
||
---|---|---|
.. | ||
farbtastic | ||
jcrop | ||
identica-badge.js | ||
install.js | ||
jquery.cookie.js | ||
jquery.cookie.min.js | ||
jquery.form.js | ||
jquery.form.min.js | ||
jquery.joverlay.js | ||
jquery.joverlay.min.js | ||
jquery.js | ||
jquery.min.js | ||
json2.js | ||
json2.min.js | ||
userdesign.go.js | ||
util.js | ||
util.min.js |