[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)

Boris Zbarsky bzbarsky at MIT.EDU
Fri Aug 2 18:17:46 PDT 2013


On 8/2/13 6:55 PM, Ian Hickson wrote:
> How does it solve it? (What _is_ the "mail.google.com vs
> calendar.google.com case"?)

The case is when mail.google.com tries to attack calendar.google.com, 
and they can't be in different processes as mitigation because you never 
know when they'll both set domain to "google.com"...

-Boris



More information about the whatwg mailing list