[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)

Boris Zbarsky bzbarsky at MIT.EDU
Fri Aug 2 18:17:46 PDT 2013

Previous message: [whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)
Next message: [whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8/2/13 6:55 PM, Ian Hickson wrote:
> How does it solve it? (What _is_ the "mail.google.com vs
> calendar.google.com case"?)

The case is when mail.google.com tries to attack calendar.google.com, 
and they can't be in different processes as mitigation because you never 
know when they'll both set domain to "google.com"...

-Boris

Previous message: [whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)
Next message: [whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the whatwg mailing list