[whatwg] Disabling document.domain setting on iframe at sandbox (especially with allow-same-origin)
bzbarsky at MIT.EDU
Sat Aug 3 07:02:17 PDT 2013
On 8/3/13 9:48 AM, David Bruant wrote:
> "a.example.org" can sandbox the iframe to "b.example.org" and process
> isolation becomes possible again
Yes, agreed. This might be a good idea. It just has nothing to do with
protecting one from attacks by the other in general, because they can
use window.open and loads...
> What I'm suggesting is the following: poison the document.domain setter
> in sandboxed iframes regardless of whether there is allow-same-origin.
I like it, yes.
> The only case this doesn't allow to optimize is "a.example.org" with an
> iframe to "example.org", where "a.example.org" might set document.domain
> to "example.org".
It doesn't matter, because _both_ have to set document.domain. As in,
a.example.org setting .domain to "example.org" does not make it
same-origin with example.org unless the latter also explicitly sets
.domain to "example.org". Which we would disallow in sandboxed iframes.
More information about the whatwg