[whatwg] The <iframe> element and sandboxing ideas

Ian Hickson ian at hixie.ch
Sat Feb 14 14:39:32 PST 2009

On Mon, 26 May 2008, Ojan Vafai wrote:
> What happens if an iframe is loaded with sandbox set and then the 
> property it is unset? What security origin is it in?

I've clarified the spec to ensure that the flag only takes effect when the 
browsing context is navigated and the Document is created.

> Similiarly, what happens when seamless is set/removed on an iframe 
> already in the page? Does it start inheriting CSS and resize to fit it's 
> content? I don't feel strongly about what should happen in these cases, 
> seems worth being explicit though.

I've added a note saying that it is dynamic, yes.

> > 1. When seamless is set, the compatMode of the iframe should be the 
> > same as that of the parent browsing context, even if the doctype of 
> > the iframe would put it in a different compatmode than its parent.
> I thought about this some more and this seems like a bad idea. If you 
> actualy link to a page that expects to be quirks from a standards 
> parent, then this could be break things. I'll modify this to the 
> following:
> Iframes with an empty src (or no src property) should inherit their 
> parent's compatmode iff seamless is set, otherwise they should be in 
> backcompat unless a standards doctype is document.write'ed in.
> Again the latter part of that is for compatibility with current 
> browsers.

I think making the compat mode inherit only in the case of seamless being 
set and the document being about:blank and there not being a DOCTYPE is 
somewhat too weird to be worth it. I can just imagine people running into 
this and being all confused.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list