Re: [whatwg] Disabling document.domain setting on iframe@sandbox (especially with allow-same-origin) from Boris Zbarsky on 2013-08-03 (public-whatwg-archive@w3.org from August 2013)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 02 Aug 2013 21:03:30 -0400
To: whatwg@lists.whatwg.org
Message-ID: <51FC56E2.6020709@mit.edu>

On 8/2/13 6:44 PM, David Bruant wrote:
> And apparently @sandbox doesn't help here if there is allow-same-origin.
> So here is an idea: make the document.domain setter throw inside an
> iframe@sandbox, *regardless* of allow-same-origin. That solves the
> mail.google.com VS calendar.google.com case.

How exactly does it solve it?  How is @sandbox even relevant here?

> It doesn't solve the case of when the parent shortens its
> document.domain to match the allow-same-origin sandboxed iframe, but I
> feel it's a rare case to load an x.y iframe from an w.x.y page.

I'm not sure what you mean.  document.domain requires opt-on on both 
sides, so the "x.y and w.x.y" case is no different from the 
"mail.google.com and calendar.google.com" case.

-Boris

Received on Saturday, 3 August 2013 01:03:58 UTC