Defeating The Same Origin Policy.

Gareth Heyes contacted me with a few ideas regarding the same origin policy. Next thing I knew he send me a few working exploits. Pretty shocked by it, we discussed this some more. I have been reading about the same origin policy in browsers, but I never got around to look at it more properly. I knew there was a feature that can be modified in a document: document.domain This sets the domain for the document. Obviously it is not allowed by browsers to set a domain that is outside the document's location itself. I cannot set it to Google.com for instance because the browser does not permits it. But, Gareth showed me that the document.domain can be overwritten in Safari and Microsoft Internet Explorer in such away it is possible to modify the document.domain to another. # The same origin policy works like this:http://store.company.com/dir2/other.html => Success http://store.company.com/dir/inner/another.html =>Success https://store.company.com/secure.html =>Failure => Different protocolhttp://store.company.com:81/dir/etc.htm => Failure => Different porthttp://news.company.com/dir/other.html => Failure => Different hostThere is one exception to the same origin rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. Here is the proof of concept by Gareth Heyes. The script below overwrites the document.domain property which is a real browser flaw.<script type="text/javascript">var document;document = {};document.domain = 'www.google.com';alert(document.domain);</script>This shows the pitfalls of browser security and how hard it is to secure everything. For now only Microsoft Internet explorer and Safari have been found vulnerable to overwriting the document.domain property.Two PoC:Microsoft Internet explorer document.domain overwritingSafari document.domain overwriting