On 8/3/13 9:48 AM, David Bruant wrote:
"a.example.org" can sandbox the iframe to "b.example.org" and process isolation becomes possible again
Yes, agreed. This might be a good idea. It just has nothing to do with protecting one from attacks by the other in general, because they can use window.open and loads...
What I'm suggesting is the following: poison the document.domain setter in sandboxed iframes regardless of whether there is allow-same-origin.
I like it, yes.
The only case this doesn't allow to optimize is "a.example.org" with an iframe to "example.org", where "a.example.org" might set document.domain to "example.org".
It doesn't matter, because _both_ have to set document.domain. As in, a.example.org setting .domain to "example.org" does not make it same-origin with example.org unless the latter also explicitly sets .domain to "example.org". Which we would disallow in sandboxed iframes.
-Boris
