On Fri, Apr 28, 2017 at 10:26 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:
> On Fri, Apr 28, 2017 at 10:10 AM, Mike West <mkwst@google.com> wrote:
> > `WindowProxy`'s `[[GetOwnProperty]]` uses
> > https://html.spec.whatwg.org/#isplatformobjectsameorigin-(-o-): I'd just
> > stick with that as a determinant of the properties listed in
> > https://html.spec.whatwg.org/#crossoriginproperties-(-o-).
>
> Wouldn't you then fail to address point 7 of the threat model?
>
I thought Emily's proposal prevented point 7 by preventing isolated pages
from setting `document.domain`, but I don't see that in the doc. Emily, am
I just making things up now? :)
Filed https://github.com/WICG/isolation/issues/12 to discuss, as I'd prefer
that approach to increasing the complexity of the `WindowProxy` checks
themselves.
-mike