W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2013

Re: [whatwg] Disabling document.domain setting on iframe@sandbox (especially with allow-same-origin)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 02 Aug 2013 21:17:46 -0400
Message-ID: <51FC5A3A.5060609@mit.edu>
To: whatwg@lists.whatwg.org
On 8/2/13 6:55 PM, Ian Hickson wrote:
> How does it solve it? (What _is_ the "mail.google.com vs
> calendar.google.com case"?)

The case is when mail.google.com tries to attack calendar.google.com, 
and they can't be in different processes as mitigation because you never 
know when they'll both set domain to "google.com"...

-Boris
Received on Saturday, 3 August 2013 01:18:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:23 UTC