Menu
While going through the location sources for DOM XSS attacks, I was trying to understand their differences in their usages(i.e where to use what). According to MDN, the difference between document.documentURI and document.URL is following.
HTML documents have a
document.URLproperty which returns the same value. UnlikeURL,documentURIis available on all types of documents.
Can anyone explain the cases where only documentURI is available and not URL?
EDIT:
I would like to know a few specific cases where this actually happens.
471
A Uniform Resource Identifier (URI) is a unique sequence of characters that identifies a logical or physical resource used by web technologies. URIs may be used to identify anything, including real-world objects, such as people and places, concepts, or information resources such as web pages and books.
The Document. location read-only property returns a Location object, which contains information about the URL of the document and provides methods for changing that URL and loading another URL. Though Document. location is a read-only Location object, you can also assign a string to it.
document.documentURI is available on HTML documents and on non-HTML documents.
document.URL is available on HTML documents.
Example:
<?xml version="1.0" ?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
<circle cx="250" cy="250" r="50" fill="red" />
<script type="text/javascript">
<![CDATA[
alert(document.URL);
alert(document.documentURI);
]]>
</script>
</svg>
The first alert (document.URL) will be undefined.
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
