W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2013

Re: [whatwg] Disabling document.domain setting on iframe@sandbox (especially with allow-same-origin)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 02 Aug 2013 21:03:30 -0400
Message-ID: <51FC56E2.6020709@mit.edu>
To: whatwg@lists.whatwg.org
On 8/2/13 6:44 PM, David Bruant wrote:
> And apparently @sandbox doesn't help here if there is allow-same-origin.
> So here is an idea: make the document.domain setter throw inside an
> iframe@sandbox, *regardless* of allow-same-origin. That solves the
> mail.google.com VS calendar.google.com case.

How exactly does it solve it?  How is @sandbox even relevant here?

> It doesn't solve the case of when the parent shortens its
> document.domain to match the allow-same-origin sandboxed iframe, but I
> feel it's a rare case to load an x.y iframe from an w.x.y page.

I'm not sure what you mean.  document.domain requires opt-on on both 
sides, so the "x.y and w.x.y" case is no different from the 
"mail.google.com and calendar.google.com" case.

Received on Saturday, 3 August 2013 01:03:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:23 UTC