W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2013

Re: [whatwg] Disabling document.domain setting on iframe@sandbox (especially with allow-same-origin)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 03 Aug 2013 10:02:17 -0400
Message-ID: <51FD0D69.6060206@mit.edu>
To: David Bruant <bruant.d@gmail.com>
Cc: whatwg@lists.whatwg.org
On 8/3/13 9:48 AM, David Bruant wrote:
> "a.example.org" can sandbox the iframe to "b.example.org" and process
> isolation becomes possible again

Yes, agreed.  This might be a good idea.  It just has nothing to do with 
protecting one from attacks by the other in general, because they can 
use window.open and loads...

> What I'm suggesting is the following: poison the document.domain setter
> in sandboxed iframes regardless of whether there is allow-same-origin.

I like it, yes.

> The only case this doesn't allow to optimize is "a.example.org" with an
> iframe to "example.org", where "a.example.org" might set document.domain
> to "example.org".

It doesn't matter, because _both_ have to set document.domain.  As in, 
a.example.org setting .domain to "example.org" does not make it 
same-origin with example.org unless the latter also explicitly sets 
.domain to "example.org".  Which we would disallow in sandboxed iframes.

-Boris
Received on Saturday, 3 August 2013 14:02:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:23 UTC