| 16:48 | <JakeA> | Curious: when did the origin model first become a thing? window.open, iframes? Something else? |
| 18:09 | <annevk> | JakeA: I’m interested |
| 18:10 | <JakeA> | Haha I thought you'd know, if anyone |
| 20:42 | <Krinkle> | something around <frameset> or cross-origin <object> perhaps, trying to find when document.domain was first mentioned in mailing lists.. |
| 20:52 | <annevk> | JakeA: Wikipedia suggests it came with NN2, together with JavaScript and cookies |
| 20:53 | <annevk> | It’d be really nice if someone were to find a more detailed document though |
| 21:14 | <Krinkle> | That Wikipedia statement has a citation for the fact that JS came with NN2 but the source doesnt' say anything about SOP or related concepts from what I can tell. |
| 21:14 | <Krinkle> | a 2009 slidedeck linked from <https://www.w3.org/Security/wiki/Same_Origin_Policy>; suggests that it was "tacked on later" |
| 21:23 | <Krinkle> | The oldest CVE mentioning Same origin/SOP is this from 2002 it seems - https://www.cvedetails.com/cve/CVE-2002-0815/ |
| 21:23 | <Krinkle> | An older one from 1999 suggests that at the time IE did not (correctly) implement document.domain. – https://www.cvedetails.com/cve/CVE-1999-0869/ |
| 21:24 | Krinkle | does this kind of analsys quite often for Wikipedia articles |
| 21:30 | <Krinkle> | A 1998 Usenix-published paper refers to document.domain as well, which seems fairly reliable and places it mainly in the context of frames <https://static.usenix.org/publications/library/proceedings/sec98/full_papers/anupam/anupam.pdf>; |
| 21:34 | <Krinkle> | This copy of a 1997 Netscape manual says document.domain was introduced in Netscape 3 – https://www.cs.huji.ac.il/labs/parallel/Docs/Javascript_ref/doc1.htm#1010697 |
| 21:34 | <Krinkle> | As part of its "data taining" feature that prevents reading of properties across origins. – https://www.cs.huji.ac.il/labs/parallel/Docs/Javascript_ref/intro.htm#1014735 |
| 21:35 | <Krinkle> | when two frames match their domain property, they essentially opt-in to the legacy pre-tainted behaviour of being able to read stuff again |
| 21:38 | <Krinkle> | Not able to find a more authoritative copy of that manaul though, this is a bit of a random host |
| 21:51 | <Krinkle> | found it – https://web.archive.org/web/20010207191536/http://developer.netscape.com/docs/manuals/js/client/jsguide/sec.htm |
| 21:55 | <Krinkle> | fun fact - "Netscape Enterprise Server" offered "Server-Side JavaScript 1.4" in 1999 |
| 21:55 | <Krinkle> | https://web.archive.org/web/19990904060408/http://developer.netscape.com/docs/manuals/index.html?content=javascript.html |
| 22:52 | <Krinkle> | OK. Last one is - https://web.archive.org/web/20020808153106/http://wp.netscape.com:80/eng/mozilla/3.0/handbook/javascript/advtopic.htm#1009533 |
| 22:52 | <Krinkle> | Added to the SOP Wikipedia article. Calling it at that :) - JakeA |
| 22:52 | <Krinkle> | Remember navigator.taintEnabled() ? |
| 22:54 | <Krinkle> | Looks like it may've been motivated not by cross-domain access but by internet-to-localdisk access. E.g. if you framed C:\ it looks like it may've been possible to access the default directory rendering of it from the web. |
| 22:54 | <Krinkle> | http://web.archive.org/web/19970614000552/http://home.netscape.com/eng/mozilla/2.02/relnotes/windows-2.02.html#Update |
| 22:55 | <Krinkle> | "Navigator 2.02 fixes this problem by refusing to allow a script from a server to view file names and directory listings from the local user's machine. " |