Disallowing setting document.domain in sandboxed iframes

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Disallowing setting document.domain in sandboxed iframes

Boris Zbarsky
Would we be willing to disallow setting document.domain in sandboxed
iframes?  Seems like there should no content depending on that so far,
and it would mean that sandboxed iframes could have better
task/process/whatever isolation from the parent...

Hixie is looking for some sort of implementor commitment, but I figured
I should check here before saying anything on the whatwg list.

-Boris
_______________________________________________
dev-tech-dom mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-dom
Reply | Threaded
Open this post in threaded view
|

Re: Disallowing setting document.domain in sandboxed iframes

Bobby Holley-2
Don't sandboxed scopes already get a unique principal, for which
document.domain is meaningless?

Either way I am totally, 100% on board with disallowing
document.domain whenever we can.

bholley

On Thu, Aug 8, 2013 at 9:38 PM, Boris Zbarsky <[hidden email]> wrote:

> Would we be willing to disallow setting document.domain in sandboxed
> iframes?  Seems like there should no content depending on that so far, and
> it would mean that sandboxed iframes could have better task/process/whatever
> isolation from the parent...
>
> Hixie is looking for some sort of implementor commitment, but I figured I
> should check here before saying anything on the whatwg list.
>
> -Boris
> _______________________________________________
> dev-tech-dom mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-dom
_______________________________________________
dev-tech-dom mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-dom
Reply | Threaded
Open this post in threaded view
|

Re: Disallowing setting document.domain in sandboxed iframes

Boris Zbarsky
In reply to this post by Boris Zbarsky
On 8/9/13 12:32 PM, Bobby Holley wrote:
> Don't sandboxed scopes already get a unique principal, for which
> document.domain is meaningless?

Not if you allow-same-origin.

-Boris
_______________________________________________
dev-tech-dom mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-dom
Reply | Threaded
Open this post in threaded view
|

Re: Disallowing setting document.domain in sandboxed iframes

Bobby Holley-2
Oh, right. Yeah, that sounds fine - should make it easier to sandbox
the windows, since there's no transitive closure to worry about.

bholley

On Fri, Aug 9, 2013 at 9:39 AM, Boris Zbarsky <[hidden email]> wrote:

> On 8/9/13 12:32 PM, Bobby Holley wrote:
>>
>> Don't sandboxed scopes already get a unique principal, for which
>> document.domain is meaningless?
>
>
> Not if you allow-same-origin.
>
>
> -Boris
> _______________________________________________
> dev-tech-dom mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-dom
_______________________________________________
dev-tech-dom mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-dom
Reply | Threaded
Open this post in threaded view
|

Re: Disallowing setting document.domain in sandboxed iframes

Blake Kaplan
In reply to this post by Boris Zbarsky
Bobby Holley <[hidden email]> wrote:
> Either way I am totally, 100% on board with disallowing
> document.domain whenever we can.

I second this notion!
--
Blake Kaplan
_______________________________________________
dev-tech-dom mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-dom
Reply | Threaded
Open this post in threaded view
|

Re: Disallowing setting document.domain in sandboxed iframes

Boris Zbarsky
On 8/14/13 12:32 PM, Blake Kaplan wrote:
> Bobby Holley <[hidden email]> wrote:
>> Either way I am totally, 100% on board with disallowing
>> document.domain whenever we can.
>
> I second this notion!

Alright, then.  https://bugzilla.mozilla.org/show_bug.cgi?id=907892

-Boris
_______________________________________________
dev-tech-dom mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-dom