[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)

David Bruant bruant.d at gmail.com
Fri Aug 2 15:44:18 PDT 2013


Moving a part on an es-discuss discussion [1]

Boris Zbarsky wrote:
> Hixie is suggesting process-isolating iframes that are not same-origin
> to start with and can't be made same-origin via document.domain
Quite a noble purpose.
Note that is condition applies to sandboxed iframes (except for 
allow-same-origin) which is an awesome feature.

> He is not suggesting process-isolating iframes which might ever become
> same-origin.
> So his proposed implementation gives good defence in depth for things
> that are completely different origins and always will be, but does
> nothing for protecting mail.google.com from calendar.google.com, say,
> compared to the current situation..
And apparently @sandbox doesn't help here if there is allow-same-origin. 
So here is an idea: make the document.domain setter throw inside an 
iframe at sandbox, *regardless* of allow-same-origin. That solves the 
mail.google.com VS calendar.google.com case.
It doesn't solve the case of when the parent shortens its 
document.domain to match the allow-same-origin sandboxed iframe, but I 
feel it's a rare case to load an x.y iframe from an w.x.y page.


[1] https://mail.mozilla.org/pipermail/es-discuss/2013-August/032491.html

More information about the whatwg mailing list