Disallowing setting document.domain in sandboxed iframes

19 views
Skip to first unread message

Boris Zbarsky

unread,
Aug 9, 2013, 12:38:35 AM8/9/13
to
Would we be willing to disallow setting document.domain in sandboxed
iframes? Seems like there should no content depending on that so far,
and it would mean that sandboxed iframes could have better
task/process/whatever isolation from the parent...

Hixie is looking for some sort of implementor commitment, but I figured
I should check here before saying anything on the whatwg list.

-Boris

Bobby Holley

unread,
Aug 9, 2013, 12:32:30 PM8/9/13
to Boris Zbarsky, dev-te...@lists.mozilla.org
Don't sandboxed scopes already get a unique principal, for which
document.domain is meaningless?

Either way I am totally, 100% on board with disallowing
document.domain whenever we can.

bholley
> _______________________________________________
> dev-tech-dom mailing list
> dev-te...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-dom

Boris Zbarsky

unread,
Aug 9, 2013, 12:39:10 PM8/9/13
to
On 8/9/13 12:32 PM, Bobby Holley wrote:
> Don't sandboxed scopes already get a unique principal, for which
> document.domain is meaningless?

Not if you allow-same-origin.

-Boris

Bobby Holley

unread,
Aug 9, 2013, 12:50:35 PM8/9/13
to Boris Zbarsky, dev-te...@lists.mozilla.org
Oh, right. Yeah, that sounds fine - should make it easier to sandbox
the windows, since there's no transitive closure to worry about.

bholley

Blake Kaplan

unread,
Aug 14, 2013, 12:32:43 PM8/14/13
to
Bobby Holley <bobby...@gmail.com> wrote:
> Either way I am totally, 100% on board with disallowing
> document.domain whenever we can.

I second this notion!
--
Blake Kaplan

Boris Zbarsky

unread,
Aug 21, 2013, 4:19:52 PM8/21/13
to
On 8/14/13 12:32 PM, Blake Kaplan wrote:
> Bobby Holley <bobby...@gmail.com> wrote:
>> Either way I am totally, 100% on board with disallowing
>> document.domain whenever we can.
>
> I second this notion!

Alright, then. https://bugzilla.mozilla.org/show_bug.cgi?id=907892

-Boris
Reply all
Reply to author
Forward
0 new messages