[whatwg] Comments on @sandbox
Ian Hickson
ian at hixie.ch
Mon Jan 11 18:41:31 PST 2010
On Thu, 5 Nov 2009, Adam Barth wrote:
>
> == allow-same-origin + allow-script ==
>
> It's clear that adding both allow-same-origin and allow-script to
> @sandbox at the same time make the sandbox useless because the sandboxed
> content can simply reach outside the frame and remove the sandbox
> attribute. Should we disallow setting these values at the same time?
> If an author does set both, maybe we should only pay attention to one?
Done. allow-same-origin now overrides allow-scripts.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list