[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)

Boris Zbarsky bzbarsky at MIT.EDU
Fri Aug 2 18:03:30 PDT 2013


On 8/2/13 6:44 PM, David Bruant wrote:
> And apparently @sandbox doesn't help here if there is allow-same-origin.
> So here is an idea: make the document.domain setter throw inside an
> iframe at sandbox, *regardless* of allow-same-origin. That solves the
> mail.google.com VS calendar.google.com case.

How exactly does it solve it?  How is @sandbox even relevant here?

> It doesn't solve the case of when the parent shortens its
> document.domain to match the allow-same-origin sandboxed iframe, but I
> feel it's a rare case to load an x.y iframe from an w.x.y page.

I'm not sure what you mean.  document.domain requires opt-on on both 
sides, so the "x.y and w.x.y" case is no different from the 
"mail.google.com and calendar.google.com" case.

-Boris



More information about the whatwg mailing list