[whatwg] @srcdoc and default @sandbox

Tab Atkins Jr. jackalmage at gmail.com
Mon Aug 30 10:02:30 PDT 2010


While talking with the implementor of @srcdoc in Webkit, it came up
that, though @srcdoc is *designed* for use with @sandbox, the author
still has to explicitly add @sandbox to the <iframe> or else they
don't get the sandbox security model.

Can we make this automatic?  Specifically, when <iframe
srcdoc=foo></iframe> is specified (without @sandbox), it drops into
the sandbox security model as if <iframe sandbox srcdoc=foo></iframe>
was used.  If @sandbox is explicitly added, its value is instead used,
so the author can set the sandbox security flags if desired.

This would mean that there is no way for an author to use @srcdoc
*without* sandboxing.  This appears to be a minority use-case in the
first place (as far as I can tell, it's pretty much just useful for
testing purposes), but the author can always use a data: url in that
case.


As a seperate issue, a @srcdoc <iframe> should be able to receive
@seamless as well, even when it's officially unique-origin (that is,
when the author doesn't go out of their way to set
@sandbox=allow-same-origin).  There is precedent for this in the spec
- a text/html-sandboxed resource loaded into an iframe (which is
required to be unique-origin) can receive @seamless, because it's not
"actually" cross-origin; it only acts that way for particular security
purposes which don't apply to the use of @seamless here.

~TJ



More information about the whatwg mailing list