- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sat, 03 Aug 2013 10:02:17 -0400
- To: David Bruant <bruant.d@gmail.com>
- Cc: whatwg@lists.whatwg.org
On 8/3/13 9:48 AM, David Bruant wrote: > "a.example.org" can sandbox the iframe to "b.example.org" and process > isolation becomes possible again Yes, agreed. This might be a good idea. It just has nothing to do with protecting one from attacks by the other in general, because they can use window.open and loads... > What I'm suggesting is the following: poison the document.domain setter > in sandboxed iframes regardless of whether there is allow-same-origin. I like it, yes. > The only case this doesn't allow to optimize is "a.example.org" with an > iframe to "example.org", where "a.example.org" might set document.domain > to "example.org". It doesn't matter, because _both_ have to set document.domain. As in, a.example.org setting .domain to "example.org" does not make it same-origin with example.org unless the latter also explicitly sets .domain to "example.org". Which we would disallow in sandboxed iframes. -Boris
Received on Saturday, 3 August 2013 14:02:44 UTC