[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)
Ian Hickson
ian at hixie.ch
Fri Aug 2 19:35:42 PDT 2013
On Fri, 2 Aug 2013, Boris Zbarsky wrote:
> On 8/2/13 6:55 PM, Ian Hickson wrote:
> > How does it solve it? (What _is_ the "mail.google.com vs
> > calendar.google.com case"?)
>
> The case is when mail.google.com tries to attack calendar.google.com,
> and they can't be in different processes as mitigation because you never
> know when they'll both set domain to "google.com"...
Ah, ok. It's clearer to describe that as the "victim.example.com vs
hostile.example.com" case, since the fact that calendar.google.com
redirects to www.google.com and mail.google.com doesn't is mostly just an
accident of history at this point.
Yes, the model I described in es-discuss doesn't attempt to mitigate that
case. It groups similar-origin browsing contexts that share an event loop.
It has the advantage (over models that do mitigate that specific case)
that it happens to be compatible with the legacy security model (the one
implemented, until recently, by all browsers); it has the disadvantage
that near siblings, origin-wise, only have one level of protection against
each other, not the full defense-in-depth. Honestly, though, at the point
where you're able to trick a similar-origin site into changing
document.domain so you can attack it, it's not clear to me that the extra
level of defense is worth much. You can already, e.g., do XHR to the other
origin, at that point, or read or write to its localStorage, or read its
cookies, or send postMessage() with their origin credentials, or speak to
their workers. I dunno, it seems like the fact that you can't get to
objects in other iframes of that origin at that point is mostly moot.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list