23040 – Disallow setting document.domain in sandboxed iframes

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23040 - Disallow setting document.domain in sandboxed iframes

Summary: Disallow setting document.domain in sandboxed iframes

Status:	RESOLVED FIXED

Alias:	None

Product:	WHATWG
Classification:	Unclassified
Component:	HTML (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Target Milestone:	Unsorted
Assignee:	Ian 'Hixie' Hickson
QA Contact:	contributor

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-08-21 20:59 UTC by David Bruant
Modified:	2013-11-13 19:33 UTC (History)
CC List:	2 users (show)

See Also:

Attachments

Description David Bruant 2013-08-21 20:59:25 UTC

After discussion, people seem to agree on this idea.
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2013-August/040344.html
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2013-August/040560.html

And at least support from Mozilla to try it out:
https://bugzilla.mozilla.org/show_bug.cgi?id=907892

Blink bug http://code.google.com/p/chromium/issues/detail?id=277084

Comment 1 Ian 'Hixie' Hickson 2013-09-23 20:38:17 UTC

(This would enable sandboxed iframes to be process-isolated more tightly.)

Comment 2 contributor 2013-11-13 19:33:03 UTC

Checked in as WHATWG revision r8275.
Check-in comment: Make sandboxed iframes block document.domain setting
http://html5.org/tools/web-apps-tracker?from=8274&to=8275