[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)
David Bruant
bruant.d at gmail.com
Fri Aug 2 15:44:18 PDT 2013
Hi,
Moving a part on an es-discuss discussion [1]
Boris Zbarsky wrote:
> Hixie is suggesting process-isolating iframes that are not same-origin
> to start with and can't be made same-origin via document.domain
Quite a noble purpose.
Note that is condition applies to sandboxed iframes (except for
allow-same-origin) which is an awesome feature.
> He is not suggesting process-isolating iframes which might ever become
> same-origin.
>
> So his proposed implementation gives good defence in depth for things
> that are completely different origins and always will be, but does
> nothing for protecting mail.google.com from calendar.google.com, say,
> compared to the current situation..
And apparently @sandbox doesn't help here if there is allow-same-origin.
So here is an idea: make the document.domain setter throw inside an
iframe at sandbox, *regardless* of allow-same-origin. That solves the
mail.google.com VS calendar.google.com case.
It doesn't solve the case of when the parent shortens its
document.domain to match the allow-same-origin sandboxed iframe, but I
feel it's a rare case to load an x.y iframe from an w.x.y page.
David
[1] https://mail.mozilla.org/pipermail/es-discuss/2013-August/032491.html
More information about the whatwg
mailing list