[html5] about html5 iframe (2 questions)

Ian Hickson ian at hixie.ch
Mon Aug 9 16:49:56 PDT 2010

On Fri, 18 Jun 2010, Stefano Gargiulo wrote:
> 1) Does the sandboxed="allow-same-origin" attribute allows me to 
> navigating (reading) into thirdy party sites iframe content (cross 
> domain)?

No, that would be a security vulnerability.

You can do it with opt-in from the third-party server using XMLHttpRequest 
and CORS, though.

> 2) Don't you think that an attribute like: "enforce-browser-address-bar-info"
> colud be useful for https iframes (e.g. to implement federated SSO login for
> ajax webapplications without losing the dhtml page state)?
>     i think that this attribute should impose the browser to put the ssl
> certificate info and the complete url of the iframe element into the main
> address bar in addition to the parent window one.

I don't completely understand. What's stopping a browser from doing that 
today anyway?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the Help mailing list