[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)
bzbarsky at MIT.EDU
Fri Aug 2 18:03:30 PDT 2013
On 8/2/13 6:44 PM, David Bruant wrote:
> And apparently @sandbox doesn't help here if there is allow-same-origin.
> So here is an idea: make the document.domain setter throw inside an
> iframe at sandbox, *regardless* of allow-same-origin. That solves the
> mail.google.com VS calendar.google.com case.
How exactly does it solve it? How is @sandbox even relevant here?
> It doesn't solve the case of when the parent shortens its
> document.domain to match the allow-same-origin sandboxed iframe, but I
> feel it's a rare case to load an x.y iframe from an w.x.y page.
I'm not sure what you mean. document.domain requires opt-on on both
sides, so the "x.y and w.x.y" case is no different from the
"mail.google.com and calendar.google.com" case.
More information about the whatwg