On 8/2/13 6:44 PM, David Bruant wrote:
And apparently @sandbox doesn't help here if there is allow-same-origin. So here is an idea: make the document.domain setter throw inside an iframe@sandbox, *regardless* of allow-same-origin. That solves the mail.google.com VS calendar.google.com case.
How exactly does it solve it? How is @sandbox even relevant here?
It doesn't solve the case of when the parent shortens its document.domain to match the allow-same-origin sandboxed iframe, but I feel it's a rare case to load an x.y iframe from an w.x.y page.
I'm not sure what you mean. document.domain requires opt-on on both sides, so the "x.y and w.x.y" case is no different from the "mail.google.com and calendar.google.com" case.
-Boris
