-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Transition 'document-domain' feature to Document Policy #414
Comments
document-domain
as well.
(Updated the title to make it stand alone)
We could move this to a Document Policy configuration point, but need to be aware of what it means to give different frame independent control over this feature. One of the original ideas was that disabling this would be a prerequisite for isolating origins in separate agent clusters: if two frames in the same tree, a.example.com and b.example.com, can never set their However, if they are allowed to set it independently, you can have a situation where Frame 1 (a.example.com) disables document.domain, Frame 2 (b.example.com) does not, and then a third frame (also at a.example.com) is created, which also does not disable it. That frame should be in the same agent cluster as Frame 1, since they are same origin, but at the same time, it could set Moving to document policy is probably the right thing to do for this API, but it means that other mechanisms need to be used to declare isolation properties. (I'm sure this has all been discussed before; I just want to make sure it's explicit here) |
|
As Anne notes, disabling/enabling In your example, frame 2 and frame 3 would indeed be capable of colluding directly by not opting-out of |
Closing; this has been tried (in both locations) and removed from the relevant spec. #491 removes |
This seems right to me. We should likely move/copy
document-domain
as well.Originally posted by @mikewest in #410 (comment)
The text was updated successfully, but these errors were encountered: