Rising from the ashes of bug 916939. Maybe sandboxed iframes are recent enough to have a saner relationship to their parent? This would remove a sync communication channel between a parent and an iframe, allowing thread/process/task isolation of iframes.
(In reply to Boris Zbarsky [:bz] (Vacation Oct 12 - Oct 27) from comment #1) > Define "acquired"? Yeah sorry, something like "got a reference to". In code: parent context: <iframe id="foo" sandbox="allow-script"> <script> var win = document.getElementById('foo').contentWindow; // that's what I call "acquire" // since win references a sandboxed iframe window, named and indexed access could be // decided not to work anymore </script> ... I realize this certainly requires some sort of WindowProxy2. I should probably take this to the WHATWG first, sorry for the noise.
> since win references a sandboxed iframe window Hmm. I guess sandboxing propagates to subframes too... Bobby, thoughts? This might be reasonable.
We could easily implement this in our security wrappers if we wanted to. I'm happy to use Gecko as a guinea pig if we need to test the web-compatibility of this change. I suspect it should be ok. (In reply to David Bruant from comment #2) > ... I realize this certainly requires some sort of WindowProxy2. I should Not necessarily. The current spec language for cross-origin object access is inaccurate, and Hixie and I are actively sorting out what this stuff should look like. See . > probably take this to the WHATWG first, sorry for the noise. Given the above, you might have better luck waiting until  is sorted out.  https://www.w3.org/Bugs/Public/show_bug.cgi?id=20701