[whatwg] Question on iframe.srcdoc address (about:srcdoc)

Tab Atkins Jr. jackalmage at gmail.com
Tue Aug 10 10:54:31 PDT 2010

On Tue, Aug 10, 2010 at 10:30 AM, Tab Atkins Jr. <jackalmage at gmail.com> wrote:
> 1. data: urls are unique-origin automatically, and there's no special
> handling of that wrt sandbox=allow-same-origin (that is, the flag does
> nothing, because the url isn't same-origin to begin with).  @srcdoc,
> on the other hand, should be same-origin by default (though behind a
> sandbox, and thus *treated* as unique-origin unless the
> allow-same-origin flag is set).  Thus, roundtripping the url back into
> @src would produce a document with different behavior.

Sorry, I was misreading part of the spec.  data: urls themselves do
indeed have a unique origin, but a Document generated from a data: url
has the same origin as the including Document (so <iframe
src=data:foo></iframe> is same-origin).


More information about the whatwg mailing list