W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2013

[whatwg] Disabling document.domain setting on iframe@sandbox (especially with allow-same-origin)

From: David Bruant <bruant.d@gmail.com>
Date: Sat, 03 Aug 2013 00:44:18 +0200
Message-ID: <51FC3642.2040506@gmail.com>
To: whatwg <whatwg@whatwg.org>
Hi,

Moving a part on an es-discuss discussion [1]

Boris Zbarsky wrote:
> Hixie is suggesting process-isolating iframes that are not same-origin
> to start with and can't be made same-origin via document.domain
Quite a noble purpose.
Note that is condition applies to sandboxed iframes (except for 
allow-same-origin) which is an awesome feature.

> He is not suggesting process-isolating iframes which might ever become
> same-origin.
>
> So his proposed implementation gives good defence in depth for things
> that are completely different origins and always will be, but does
> nothing for protecting mail.google.com from calendar.google.com, say,
> compared to the current situation..
And apparently @sandbox doesn't help here if there is allow-same-origin. 
So here is an idea: make the document.domain setter throw inside an 
iframe@sandbox, *regardless* of allow-same-origin. That solves the 
mail.google.com VS calendar.google.com case.
It doesn't solve the case of when the parent shortens its 
document.domain to match the allow-same-origin sandboxed iframe, but I 
feel it's a rare case to load an x.y iframe from an w.x.y page.

David

[1] https://mail.mozilla.org/pipermail/es-discuss/2013-August/032491.html
Received on Friday, 2 August 2013 22:44:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:23 UTC