[html5] r4579 - [e] (0) Mention the danger of allow-scripts+allow-same-origin on same-origin iframes.

[whatwg at whatwg.org]

Author: ianh
Date: 2010-01-11 18:56:17 -0800 (Mon, 11 Jan 2010)
New Revision: 4579

Modified:
   complete.html
   index
   source
Log:
[e] (0) Mention the danger of allow-scripts+allow-same-origin on same-origin iframes.

Modified: complete.html
===================================================================
--- complete.html	2010-01-12 02:46:55 UTC (rev 4578)
+++ complete.html	2010-01-12 02:56:17 UTC (rev 4579)
@@ -19657,11 +19657,17 @@
   prevented from targeting other <a href=#browsing-context title="browsing
   context">browsing contexts</a>, and plugins are disabled. The
   <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
-  token allows the content to be treated as being from the same origin
+  keyword allows the content to be treated as being from the same origin
   instead of forcing it into a unique origin, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
-  tokens re-enable forms and scripts respectively (though scripts are
+  keywords re-enable forms and scripts respectively (though scripts are
   still prevented from creating popups).</p>
 
+  <p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and
+  <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+  keywords together when the embedded page has the <a href=#same-origin>same
+  origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code> allows
+  the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+
   <div class=impl>
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:

Modified: index
===================================================================
--- index	2010-01-12 02:46:55 UTC (rev 4578)
+++ index	2010-01-12 02:56:17 UTC (rev 4579)
@@ -19557,11 +19557,17 @@
   prevented from targeting other <a href=#browsing-context title="browsing
   context">browsing contexts</a>, and plugins are disabled. The
   <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
-  token allows the content to be treated as being from the same origin
+  keyword allows the content to be treated as being from the same origin
   instead of forcing it into a unique origin, and the <code title=attr-iframe-sandbox-allow-forms><a href=#attr-iframe-sandbox-allow-forms>allow-forms</a></code> and <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code>
-  tokens re-enable forms and scripts respectively (though scripts are
+  keywords re-enable forms and scripts respectively (though scripts are
   still prevented from creating popups).</p>
 
+  <p class=warning>Setting both the <code title=attr-iframe-sandbox-allow-scripts><a href=#attr-iframe-sandbox-allow-scripts>allow-scripts</a></code> and
+  <code title=attr-iframe-sandbox-allow-same-origin><a href=#attr-iframe-sandbox-allow-same-origin>allow-same-origin</a></code>
+  keywords together when the embedded page has the <a href=#same-origin>same
+  origin</a> as the page containing the <code><a href=#the-iframe-element>iframe</a></code> allows
+  the embedded page to simply remove the <code title=attr-iframe-sandbox><a href=#attr-iframe-sandbox>sandbox</a></code> attribute.</p>
+
   <div class=impl>
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.:

Modified: source
===================================================================
--- source	2010-01-12 02:46:55 UTC (rev 4578)
+++ source	2010-01-12 02:56:17 UTC (rev 4579)
@@ -20910,13 +20910,22 @@
   context">browsing contexts</span>, and plugins are disabled. The
   <code
   title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
-  token allows the content to be treated as being from the same origin
+  keyword allows the content to be treated as being from the same origin
   instead of forcing it into a unique origin, and the <code
   title="attr-iframe-sandbox-allow-forms">allow-forms</code> and <code
   title="attr-iframe-sandbox-allow-scripts">allow-scripts</code>
-  tokens re-enable forms and scripts respectively (though scripts are
+  keywords re-enable forms and scripts respectively (though scripts are
   still prevented from creating popups).</p>
 
+  <p class="warning">Setting both the <code
+  title="attr-iframe-sandbox-allow-scripts">allow-scripts</code> and
+  <code
+  title="attr-iframe-sandbox-allow-same-origin">allow-same-origin</code>
+  keywords together when the embedded page has the <span>same
+  origin</span> as the page containing the <code>iframe</code> allows
+  the embedded page to simply remove the <code
+  title="attr-iframe-sandbox">sandbox</code> attribute.</p>
+
   <div class="impl">
 
   <!-- v2: Add a new attribute that enables new restrictions, e.g.: