[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)
Ian Hickson
ian at hixie.ch
Fri Aug 2 15:55:37 PDT 2013
On Sat, 3 Aug 2013, David Bruant wrote:
> Boris Zbarsky wrote:
> >
> > So his proposed implementation gives good defence in depth for things
> > that are completely different origins and always will be, but does
> > nothing for protecting mail.google.com from calendar.google.com, say,
> > compared to the current situation..
>
> And apparently @sandbox doesn't help here if there is allow-same-origin. So
> here is an idea: make the document.domain setter throw inside an
> iframe at sandbox, *regardless* of allow-same-origin. That solves the
> mail.google.com VS calendar.google.com case.
How does it solve it? (What _is_ the "mail.google.com vs
calendar.google.com case"?)
> It doesn't solve the case of when the parent shortens its document.domain to
> match the allow-same-origin sandboxed iframe, but I feel it's a rare case to
> load an x.y iframe from an w.x.y page.
I think this is based on a misunderstanding of document.domain. For
document.domain to work, _both_ sides have to do it.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list