Hi,
Moving a part on an es-discuss discussion [1]
Boris Zbarsky wrote:
Hixie is suggesting process-isolating iframes that are not same-origin
to start with and can't be made same-origin via document.domain
Quite a noble purpose.
Note that is condition applies to sandboxed iframes (except for
allow-same-origin) which is an awesome feature.
He is not suggesting process-isolating iframes which might ever become
same-origin.
So his proposed implementation gives good defence in depth for things
that are completely different origins and always will be, but does
nothing for protecting mail.google.com from calendar.google.com, say,
compared to the current situation..
And apparently @sandbox doesn't help here if there is allow-same-origin.
So here is an idea: make the document.domain setter throw inside an
iframe@sandbox, *regardless* of allow-same-origin. That solves the
mail.google.com VS calendar.google.com case.
It doesn't solve the case of when the parent shortens its
document.domain to match the allow-same-origin sandboxed iframe, but I
feel it's a rare case to load an x.y iframe from an w.x.y page.
David
[1] https://mail.mozilla.org/pipermail/es-discuss/2013-August/032491.html
