[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)

Boris Zbarsky bzbarsky at MIT.EDU
Sat Aug 3 07:02:17 PDT 2013

On 8/3/13 9:48 AM, David Bruant wrote:
> "a.example.org" can sandbox the iframe to "b.example.org" and process
> isolation becomes possible again

Yes, agreed.  This might be a good idea.  It just has nothing to do with 
protecting one from attacks by the other in general, because they can 
use window.open and loads...

> What I'm suggesting is the following: poison the document.domain setter
> in sandboxed iframes regardless of whether there is allow-same-origin.

I like it, yes.

> The only case this doesn't allow to optimize is "a.example.org" with an
> iframe to "example.org", where "a.example.org" might set document.domain
> to "example.org".

It doesn't matter, because _both_ have to set document.domain.  As in, 
a.example.org setting .domain to "example.org" does not make it 
same-origin with example.org unless the latter also explicitly sets 
.domain to "example.org".  Which we would disallow in sandboxed iframes.


More information about the whatwg mailing list