- From: David Bruant <bruant.d@gmail.com>
- Date: Sat, 03 Aug 2013 00:44:18 +0200
- To: whatwg <whatwg@whatwg.org>
Hi, Moving a part on an es-discuss discussion [1] Boris Zbarsky wrote: > Hixie is suggesting process-isolating iframes that are not same-origin > to start with and can't be made same-origin via document.domain Quite a noble purpose. Note that is condition applies to sandboxed iframes (except for allow-same-origin) which is an awesome feature. > He is not suggesting process-isolating iframes which might ever become > same-origin. > > So his proposed implementation gives good defence in depth for things > that are completely different origins and always will be, but does > nothing for protecting mail.google.com from calendar.google.com, say, > compared to the current situation.. And apparently @sandbox doesn't help here if there is allow-same-origin. So here is an idea: make the document.domain setter throw inside an iframe@sandbox, *regardless* of allow-same-origin. That solves the mail.google.com VS calendar.google.com case. It doesn't solve the case of when the parent shortens its document.domain to match the allow-same-origin sandboxed iframe, but I feel it's a rare case to load an x.y iframe from an w.x.y page. David [1] https://mail.mozilla.org/pipermail/es-discuss/2013-August/032491.html
Received on Friday, 2 August 2013 22:44:45 UTC