[whatwg] Question on iframe.srcdoc address (about:srcdoc)
Tab Atkins Jr.
jackalmage at gmail.com
Tue Aug 10 10:54:31 PDT 2010
On Tue, Aug 10, 2010 at 10:30 AM, Tab Atkins Jr. <jackalmage at gmail.com> wrote:
> 1. data: urls are unique-origin automatically, and there's no special
> handling of that wrt sandbox=allow-same-origin (that is, the flag does
> nothing, because the url isn't same-origin to begin with). @srcdoc,
> on the other hand, should be same-origin by default (though behind a
> sandbox, and thus *treated* as unique-origin unless the
> allow-same-origin flag is set). Thus, roundtripping the url back into
> @src would produce a document with different behavior.
Sorry, I was misreading part of the spec. data: urls themselves do
indeed have a unique origin, but a Document generated from a data: url
has the same origin as the including Document (so <iframe
src=data:foo></iframe> is same-origin).
More information about the whatwg