Disallowing setting document.domain in sandboxed iframes

[Boris Zbarsky]

Would we be willing to disallow setting document.domain in sandboxed
iframes? Seems like there should no content depending on that so far,
and it would mean that sandboxed iframes could have better
task/process/whatever isolation from the parent...

Hixie is looking for some sort of implementor commitment, but I figured
I should check here before saying anything on the whatwg list.

-Boris

[Bobby Holley]

Don't sandboxed scopes already get a unique principal, for which
document.domain is meaningless?

Either way I am totally, 100% on board with disallowing
document.domain whenever we can.

bholley

> _______________________________________________
> dev-tech-dom mailing list
> dev-te...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-dom

[Boris Zbarsky]

On 8/9/13 12:32 PM, Bobby Holley wrote:
> Don't sandboxed scopes already get a unique principal, for which
> document.domain is meaningless?

Not if you allow-same-origin.

-Boris

[Bobby Holley]

Oh, right. Yeah, that sounds fine - should make it easier to sandbox
the windows, since there's no transitive closure to worry about.

bholley

[Blake Kaplan]

Bobby Holley <bobby...@gmail.com> wrote:
> Either way I am totally, 100% on board with disallowing
> document.domain whenever we can.

I second this notion!
--
Blake Kaplan

[Boris Zbarsky]

On 8/14/13 12:32 PM, Blake Kaplan wrote:
> Bobby Holley <bobby...@gmail.com> wrote:
>> Either way I am totally, 100% on board with disallowing
>> document.domain whenever we can.
>
> I second this notion!

Alright, then. https://bugzilla.mozilla.org/show_bug.cgi?id=907892

-Boris