[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)

Boris Zbarsky bzbarsky at MIT.EDU
Fri Aug 2 19:38:42 PDT 2013


On 8/2/13 10:35 PM, Ian Hickson wrote:
> Honestly, though, at the point
> where you're able to trick a similar-origin site into changing
> document.domain so you can attack it

document.domain was not involved in any way in the cross-site issues 
I've pointed out to you recently.

-Boris



More information about the whatwg mailing list