[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)
Boris Zbarsky
bzbarsky at MIT.EDU
Fri Aug 2 18:17:46 PDT 2013
On 8/2/13 6:55 PM, Ian Hickson wrote:
> How does it solve it? (What _is_ the "mail.google.com vs
> calendar.google.com case"?)
The case is when mail.google.com tries to attack calendar.google.com,
and they can't be in different processes as mitigation because you never
know when they'll both set domain to "google.com"...
-Boris
More information about the whatwg
mailing list