[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)

[Boris Zbarsky]

On 8/2/13 6:55 PM, Ian Hickson wrote:
> How does it solve it? (What _is_ the "mail.google.com vs
> calendar.google.com case"?)

The case is when mail.google.com tries to attack calendar.google.com, 
and they can't be in different processes as mitigation because you never 
know when they'll both set domain to "google.com"...

-Boris