[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)

Boris Zbarsky bzbarsky at MIT.EDU
Fri Aug 2 18:17:46 PDT 2013

On 8/2/13 6:55 PM, Ian Hickson wrote:
> How does it solve it? (What _is_ the "mail.google.com vs
> calendar.google.com case"?)

The case is when mail.google.com tries to attack calendar.google.com, 
and they can't be in different processes as mitigation because you never 
know when they'll both set domain to "google.com"...


More information about the whatwg mailing list